CVE-2018-14994

Name of the Vulnerable Software and Affected Versions Essential Phone Android device with a build fingerprint of essential/mata/mata:8.1.0/OPM1.180104.166/297:user/release-keys

Description The device contains a pre-installed platform app with a package name of com.ts.android.hiddenmenu that has an exported activity app component named com.ts.android.hiddenmenu.rtn.RTNResetActivity. This component allows any app on the device to initiate a factory reset programmatically without requiring any permissions. A factory reset will remove all user data and apps from the device, resulting in the loss of any data that have not been backed up or synced externally.

Recommendations For the Essential Phone Android device with a build fingerprint of essential/mata/mata:8.1.0/OPM1.180104.166/297:user/release-keys, consider disabling the com.ts.android.hiddenmenu.rtn.RTNResetActivity component to prevent unauthorized factory resets until a patch is available. Restrict access to the com.ts.android.hiddenmenu app to minimize the risk of exploitation. Avoid using apps that may leverage the vulnerable component to initiate a factory reset.