CVE-2018-14990
Description
The Coolpad Defiant device with a build fingerprint of Coolpad/cp3632a/cp3632a:7.1.1/NMF26F/099480857:user/release-keys, the ZTE ZMAX Pro with a build fingerprint of ZTE/P895T20/urd:6.0.1/MMB29M/20170418.114928:user/release-keys, and the T-Mobile Revvl Plus with a build fingerprint of Coolpad/alchemy/alchemy:7.1.1/143.14.171129.3701A-TMO/buildf_nj_02-206:user/release-keys all contain a vulnerable, pre-installed Rich Communication Services (RCS) app. These devices contain an that app has a package name of com.suntek.mway.rcs.app.service (versionCode=1, versionName=RCS_sdk_M_native_20161008_01; versionCode=1, versionName=RCS_sdk_M_native_20170406_01) with a broadcast receiver app component named com.suntek.mway.rcs.app.test.TestReceiver and a refactored version of the app with a package name of com.rcs.gsma.na.sdk (versionCode=1, versionName=RCS_SDK_20170804_01) with a broadcast receiver app component named com.rcs.gsma.na.test.TestReceiver allow any app co-located on the device to programmatically send text messages where the number and body of the text message is controlled by the attacker due to an exported broadcast receiver app component. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. A separate vulnerability in the app allows a zero-permission app to programmatically delete text messages, so the sent text messages can be removed to not alert the user.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Pre-installed RCS app on Coolpad Defiant, ZTE ZMAX Pro, and T-Mobile Revvl Plus allows any app to send and delete text messages without permission.
Vulnerability
The Coolpad Defiant, ZTE ZMAX Pro, and T-Mobile Revvl Plus contain a pre-installed Rich Communications Services (RCS) app (package names com.suntek.mway.rcs.app.service and com.rcs.gsma.na.sdk) with an exported broadcast receiver component (com.suntek.mway.rcs.app.test.TestReceiver or com.rcs.gsma.na.test.TestReceiver) that allows any co-located app to programmatically send text messages. The app cannot be disabled by the user [1][2].
Exploitation
An attacker can install a zero-permission app on the device that sends an intent to the exported broadcast receiver, specifying the phone number and message body. The receiver will send the text message without any user interaction or notification. Additionally, a separate vulnerability allows the same app to delete sent messages, covering the attacker's tracks [1].
Impact
The attacker can send arbitrary text messages from the victim's device to any number, potentially incurring charges or enabling phishing attacks. The ability to delete messages prevents the user from detecting the unauthorized activity. This represents a breach of integrity and confidentiality of SMS functionality [2].
Mitigation
No official patch has been confirmed. Users are advised to be cautious about installing apps and to consider using a device without this pre-installed vulnerable app. The vendor has not provided an update as of the publication date [1][2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: 143.14.171129.3701A-TMO/buildf_nj_02-206 (Android 7.1.1)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- www.kryptowire.commitrex_refsource_MISC
- www.kryptowire.com/portal/android-firmware-defcon-2018/mitrex_refsource_MISC
- www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdfmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.