CVE-2018-14984

Name of the Vulnerable Software and Affected Versions Leagoo Z5C Android device with a build fingerprint of sp7731c 1h10 32v4 bird:6.0/MRA58K/android.20170629.214736:user/release-keys

Description The issue concerns a pre-installed app with a package name of com.android.messaging that has an exported broadcast receiver app component named com.android.messaging.trackersender.TrackerSender. This allows any app on the device to send a broadcast intent with specific data to the receiver, resulting in the sending of a text message. The phone number and body of the text message can be controlled by the attacker.

Recommendations For the Leagoo Z5C Android device, consider disabling the com.android.messaging.trackersender.TrackerSender component until a patch is available to prevent potential exploitation. Restrict access to the com.android.messaging app to minimize the risk of unauthorized text message sending.