CVE-2018-14987

Name of the Vulnerable Software and Affected Versions MXQ TV Box version 4.4.2

Description The Android framework in the MXQ TV Box contains a dynamically registered broadcast receiver app component named com.android.server.MasterClearReceiver. This component is not protected with the android.permission.MASTER CLEAR permission, allowing any co-located app to initiate a factory reset of the device. This can result in the loss of user data and apps that have not been backed up or synced externally.

Recommendations For MXQ TV Box version 4.4.2, consider disabling the com.android.server.MasterClearReceiver broadcast receiver app component to prevent unauthorized factory resets until a patch is available. Restrict access to the Android framework to minimize the risk of exploitation. Avoid using apps that may leverage the unprotected app component of the core Android process.