CVE-2018-14986

Name of the Vulnerable Software and Affected Versions Leagoo Z5C Android device with a build fingerprint of sp7731c 1h10 32v4 bird:6.0/MRA58K/android.20170629.214736:user/release-keys

Description The device contains a pre-installed app with a package name of com.android.messaging that has an exported content provider named com.android.messaging.datamodel.MessagingContentProvider. This allows any app on the device to read the most recent text message from each conversation, including the body of the text message, phone number, name of the contact, and a timestamp. A malicious app can silently monitor the content provider in the background to obtain new text messages.

Recommendations For the Leagoo Z5C Android device, consider restricting access to the com.android.messaging.datamodel.MessagingContentProvider content provider to minimize the risk of exploitation. As a temporary workaround, avoid using the com.android.messaging app until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.