CVE-2019-15346 in Camon iClick 2
Summary
by MITRE
The Tecno Camon iClick 2 Android device with a build fingerprint of TECNO/H622/TECNO-ID6:8.1.0/O11019/F-180824V116:user/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11). This app contains an exported service named com.lovelyfont.manager.service.FunctionService that allows any app co-located on the device to supply the file path to a Dalvik Executable (DEX) file which it will dynamically load within its own process and execute in with its own system privileges. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. Executing commands as the system user can allow a third-party app to video record the user's screen, factory reset the device, obtain the user's notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), and obtains the user's text messages, and more. Executing code as the system user can allow a third-party app to factory reset the device, obtain the user's Wi-Fi passwords, obtain the user's notifications, read the logcat logs, inject events in the GUI, change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, and obtains the user's text messages, and more.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/14/2024
This vulnerability exists in the Tecno Camon iClick 2 Android device where a pre-installed platform application named com.lovelyfont.defcontainer contains a critical security flaw that allows arbitrary code execution with system-level privileges. The vulnerable component is an exported service called com.lovelyfont.manager.service.FunctionService which operates without requiring any permissions from the calling application. This service accepts file paths to Dalvik Executable files and dynamically loads them within the same process, effectively enabling code execution with the system user's privileges. The vulnerability is particularly dangerous because the malicious application cannot be disabled by users, making it a persistent threat that operates outside normal security controls.
The technical implementation of this flaw stems from improper permission controls and insecure service exposure within the Android application framework. The exported service acts as a code loader that can execute any DEX file provided by another application on the device, creating a privilege escalation vector that bypasses standard Android security mechanisms. This type of vulnerability aligns with CWE-787: "Out-of-bounds Write" and CWE-20: "Improper Input Validation" as it allows unauthorized code execution through malformed input parameters. The service operates with elevated privileges because it runs within the system context and lacks proper input sanitization or access controls to prevent unauthorized usage.
The operational impact of this vulnerability is severe and encompasses multiple attack vectors that can compromise user privacy and device integrity. A malicious third-party application can leverage this vulnerability to perform actions that would normally require system-level permissions, including screen recording, factory resetting the device, accessing notifications, reading system logs, injecting GUI events, and intercepting text messages. Additionally, the attacker can change the default input method editor to one containing keylogging capabilities, allowing for comprehensive data theft. This vulnerability essentially provides a backdoor that enables persistent surveillance and control over the device, making it a prime target for advanced persistent threats and mobile malware attacks.
The attack surface is particularly concerning due to the zero-permission requirement for exploitation, meaning any application can trigger this vulnerability without requesting additional permissions. This characteristic places the vulnerability in the ATT&CK framework category of privilege escalation through service manipulation and code injection. The pre-installed nature of the vulnerable application makes it impossible for users to remove or disable the component, creating a permanent security risk. Mitigation efforts should focus on immediate firmware updates from the device manufacturer, implementation of application blacklisting mechanisms, and deployment of mobile device management solutions that can detect and prevent execution of suspicious code patterns. Organizations should also consider network-level monitoring to detect anomalous behavior that might indicate exploitation attempts.