CVE-2018-14991

Vulnerability

The Coolpad Defiant, ZTE ZMAX Pro, and T-Mobile Revvl Plus contain a pre-installed Rich Communication Services (RCS) app with package names com.suntek.mway.rcs.app.service (version 1, RCS_sdk_M_native_20161008_01) and com.rcs.gsma.na.sdk (version 1, RCS_SDK_20170804_01). These apps expose an exported content provider (com.suntek.mway.rcs.app.service.provider.message.MessageProvider and com.rcs.gsma.na.provider.message.MessageProvider) that acts as a wrapper to the official SMS content provider, allowing any co-located app to access the user's text messages without any permissions [1][2].

Exploitation

An attacker can install a zero-permission malicious app on the device. This app can directly query the exported content provider to read, write, insert, and modify the user's SMS messages. No additional permissions are required because the content provider is exported and accessible to any app on the device. The attack requires the malicious app to be installed on the device, which can be achieved through social engineering or other means.

Impact

Successful exploitation allows a malicious app to fully control the user's SMS messages: reading all text messages, sending new messages, deleting messages, and inserting fake messages. This can lead to privacy breaches, financial fraud (e.g., intercepting SMS-based 2FA codes), and impersonation attacks. The vulnerable app cannot be disabled by the user, increasing the persistence of the threat.

Mitigation

As of the publication date (2019-04-25), no official patches have been announced by the device manufacturers (Coolpad, ZTE, T-Mobile). Users are advised to avoid installing untrusted apps and consider using third-party SMS apps that provide better security. The affected devices may be end-of-life or no longer receiving security updates. No workaround exists to disable the vulnerable app without root access.