CVE-2019-15417

Vulnerability

The Tecno Spark Pro Android device (build fingerprint TECNO/H3722/TECNO-K8:7.0/NRD90M/K8-H3722ABCDE-N-171229V:user/release-keys) includes a pre-installed app with package name com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.7.0). This app allows unauthorized dynamic code loading through a confused deputy mechanism, meaning any other app co-located on the device can trigger the loading of arbitrary external code without proper authorization checks [1].

Exploitation

An attacker needs only to have any app installed on the same device (no special permissions, network position, or user interaction required). The co-located app can invoke the com.lovelyfont.defcontainer app's functionality to load dynamic code from an external source, exploiting the confused deputy relationship where the target app acts as a confused deputy that does not verify the caller's identity or intent [1].

Impact

The attacker gains the ability to execute arbitrary code within the context of the com.lovelyfont.defcontainer app, potentially leading to information disclosure, file manipulation, or other unauthorized actions at the privilege level of that pre-installed app [1].

Mitigation

As of the publication date (2019-11-14), no official fix or mitigation has been disclosed. The vendor (Tecno) has not released a patch or updated build. Users may consider removing or disabling the app if possible, but no workaround is provided in the available references [1].