Vulnerability in Tecno Camon iClick 2 Android Device Allows Unauthorized Access
CVE-2019-15346

7.8HIGH

Key Information:

Vendor: Tecno-mobile
Status: Camon Iclick 2 Firmware
Vendor: CVE Published:; 14 November 2019

Summary

The Tecno Camon iClick 2 includes a pre-installed platform app that exposes an exported service allowing the execution of malicious Dalvik Executable (DEX) files. This vulnerability enables any app installed on the device to request the execution of code with system-level privileges, leading to severe privacy risks. Malicious apps can perform actions such as screen recording, factory resetting the device, accessing the user's notifications, reading logcat logs, injecting events into the graphical user interface, and retrieving sensitive user information like text messages and Wi-Fi passwords. The vulnerability arises from the inability for users to disable the vulnerable app, creating opportunities for zero-permission apps to exploit this flaw and compromise user safety.

References

https://www.kryptowire.com/android-firmware-2019/

x_refsource_MISC

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 14, 2019
Vulnerability Reserved
Aug 22, 2019