CVE-2019-15349

Vulnerability

The Tecno Camon Android device (build fingerprint TECNO/H612/TECNO-ID5a:8.1.0/O11019/F-180828V106:user/release-keys) ships with a pre-installed platform app com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11) [1]. This app exports a service named com.lovelyfont.manager.service.FunctionService that accepts a file path to a Dalvik Executable (DEX) supplied by any app on the device and dynamically loads that DEX into its own process, executing it with the app's system privileges [1]. The app cannot be disabled by the user [1].

Exploitation

An attacker needs only a co-located, zero-permission app on the device [1]. The attacking app calls the exported FunctionService with the path to a malicious DEX file; the service loads and runs the DEX in the context of com.lovelyfont.defcontainer, which holds system privileges [1]. No additional permissions or user interaction are required [1].

Impact

Successful exploitation grants the attacker arbitrary code execution as the system user [1]. This enables a wide range of actions: factory resetting the device, video recording the user's screen, reading notifications and logcat logs, injecting GUI events, obtaining Wi-Fi passwords, changing the default IME (keyboard) to one with keylogging functionality, and accessing the user's text messages [1].

Mitigation

No official fix has been disclosed in the available references [1]. Users cannot disable the vulnerable app. The presence of this pre-installed component on the device may be addressed only through a system firmware update or by replacing the device [1]. Not listed on CISA's KEV.