CVE-2019-15388

Vulnerability

The Coolpad 1851 Android device (build fingerprint Coolpad/android/android:8.1.0/O11019/1534834761:userdebug/release-keys) includes a pre-installed platform app com.lovelyfont.defcontainer (versionCode=7, versionName=7.1.13) that contains an exported service com.lovelyfont.manager.FontCoverService. This service allows any co-located app to supply arbitrary commands executed as the system user. Additionally, its companion app com.ekesoo.lovelyhifonts makes HTTP requests, enabling a Man-in-the-Middle (MITM) attack to inject commands via network responses. The app cannot be disabled by the user.

Exploitation

An attacker can exploit this vulnerability either locally or remotely. Locally, a zero-permission app installed on the device can invoke the exported service to execute arbitrary commands as system. Remotely, an attacker on the same network can perform a MITM attack on the HTTP connection from com.ekesoo.lovelyhifonts to inject a command in a network response, which will be executed by com.lovelyfont.defcontainer as system. No user interaction is required beyond installing a malicious app or MITM positioning.

Impact

Successful exploitation allows an attacker to execute arbitrary commands as the system user, leading to complete device compromise. Capabilities include factory reset, screen recording, accessing user notifications, reading logcat logs, injecting GUI events, changing the default IME to one with keylogging, and obtaining text messages and other sensitive data.

Mitigation

As of the publication date (2019-11-14), no official fix or update has been released for the Coolpad 1851. The vulnerability was disclosed by Kryptowire [1]. Users are advised to avoid installing untrusted apps and to use secure network connections. Since the app cannot be disabled, the only mitigation is to replace the device or apply a vendor patch if available.