CVE-2018-15003

Name of the Vulnerable Software and Affected Versions Coolpad Defiant version 7.1.1 T-Mobile Revvl Plus version 7.1.1

Description The issue concerns a pre-installed platform app with a package name of com.qualcomm.qti.telephony.extcarrierpack that contains an exported broadcast receiver app component named com.qualcomm.qti.telephony.extcarrierpack.UiccReceiver. This component allows any app co-located on the device to programmatically perform a factory reset without requiring any permissions. A factory reset will remove all user data and apps from the device, resulting in the loss of any data that have not been backed up or synced externally.

Recommendations For Coolpad Defiant version 7.1.1, consider disabling the com.qualcomm.qti.telephony.extcarrierpack.UiccReceiver component to prevent unauthorized factory resets. For T-Mobile Revvl Plus version 7.1.1, restrict access to the com.qualcomm.qti.telephony.extcarrierpack app to minimize the risk of exploitation.