Arbitrary File Reads/Writes via Missing Permission in Pre-Installed Apps
CVE-2023-38295
What is CVE-2023-38295?
Certain software builds for TCL 30Z and TCL 10 Android devices include vulnerable pre-installed applications that lack essential permissions, allowing third-party apps to gain unauthorized access to system-level functionalities. Specifically, the vulnerability arises from the missing permission, com.tct.smart.switchphone.permission.SWITCH_DATA, which enables malicious applications to interact with system-level service components and perform arbitrary file reads and writes without user intervention. This risk is particularly evident in the versions of the pre-installed screen recording application on the TCL 30Z and the SOS application on the TCL 10L, both of which are susceptible to exploitation in this manner. The vulnerability has been confirmed on various builds, exposing users of these devices to potential loss of privacy and data integrity.