CVE-2018-15003
Description
The Coolpad Defiant (Coolpad/cp3632a/cp3632a:7.1.1/NMF26F/099480857:user/release-keys) and the T-Mobile Revvl Plus (Coolpad/alchemy/alchemy:7.1.1/143.14.171129.3701A-TMO/buildf_nj_02-206:user/release-keys) Android devices contain a pre-installed platform app with a package name of com.qualcomm.qti.telephony.extcarrierpack (versionCode=25, versionName=7.1.1) containing an exported broadcast receiver app component named com.qualcomm.qti.telephony.extcarrierpack.UiccReceiver that allows any app co-located on the device to programmatically perform a factory reset. In addition, the app initiating the factory reset does not require any permissions. A factory reset will remove all user data and apps from the device. This will result in the loss of any data that have not been backed up or synced externally. The capability to perform a factory reset is not directly available to third-party apps (those that the user installs themselves with the exception of enabled Mobile Device Management (MDM) apps), although this capability can be obtained by leveraging an unprotected app component of a pre-installed platform app.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Pre-installed app on Coolpad Defiant and T-Mobile Revvl Plus allows any app to factory reset the device without permissions, leading to data loss.
Vulnerability
The Coolpad Defiant (cp3632a) and T-Mobile Revvl Plus (alchemy) devices running Android 7.1.1 contain a pre-installed platform app with package name com.qualcomm.qti.telephony.extcarrierpack (versionCode=25, versionName=7.1.1). This app includes an exported broadcast receiver component named com.qualcomm.qti.telephony.extcarrierpack.UiccReceiver that can be triggered by any co-located app to perform a factory reset. The receiver is exported and does not require any permissions to invoke [1][3].
Exploitation
An attacker needs only to have any app installed on the device (including a malicious third-party app). No special permissions, user interaction, or network access is required. The attacker sends an intent to the exported UiccReceiver component, which triggers a factory reset. The initiating app does not need any permissions, and the reset occurs immediately upon receipt of the intent [1][3].
Impact
Successful exploitation results in a factory reset of the device, erasing all user data, installed apps, and settings. Any data not backed up or synced externally is permanently lost. The attacker gains no further privileges but can cause denial of service and data destruction [1][3].
Mitigation
No official patch or firmware update has been publicly released to address this vulnerability. The affected devices may be end-of-life. Users should avoid installing untrusted apps and consider using mobile device management (MDM) solutions that can restrict app components. As of the publication date, this vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1][3].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: =7.1.1 (143.14.171129.3701A-TMO/buildf_nj_02-206)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- www.kryptowire.commitrex_refsource_MISC
- www.kryptowire.com/portal/android-firmware-defcon-2018/mitrex_refsource_MISC
- www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdfmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.