CVE-2019-15389

Name of the Vulnerable Software and Affected Versions Haier A6 Android device with a build fingerprint of Haier/A6/A6:8.1.0/O11019/1534219877:userdebug/release-keys

Description The pre-installed platform app com.lovelyfont.defcontainer (versionCode=7, versionName=7.1.13) contains an exported service named com.lovelyfont.manager.FontCoverService that allows any app co-located on the device to supply arbitrary commands to be executed as the system user. This can be exploited by a zero-permission app. Additionally, the accompanying app com.ekesoo.lovelyhifonts makes network requests using HTTP, making it vulnerable to Man-in-the-Middle (MITM) attacks, which can inject commands in network responses to be executed as the system user. Executing commands as the system user can allow a third-party app to perform various malicious actions, including video recording the user's screen, factory resetting the device, obtaining user notifications, reading logcat logs, injecting events in the Graphical User Interface (GUI), and obtaining user text messages.

Recommendations For the Haier A6 Android device with a build fingerprint of Haier/A6/A6:8.1.0/O11019/1534219877:userdebug/release-keys, consider disabling the com.lovelyfont.manager.FontCoverService as a temporary workaround until a patch is available. Restrict access to the com.lovelyfont.defcontainer app to minimize the risk of exploitation. Avoid using the com.ekesoo.lovelyhifonts app until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.