CVE-2018-15002

Name of the Vulnerable Software and Affected Versions Vivo V7 device with a build fingerprint of vivo/1718/1718:7.1.2/N2G47H/compil11021857:user/release-keys com.qualcomm.qti.modemtestmode app version 7.1.2

Description The issue allows any app co-located on the device to set system properties as the com.android.phone user. This is possible due to an exported service named com.qualcomm.qti.modemtestmode.MbnTestService in the com.qualcomm.qti.modemtestmode app. System properties with the persist.* prefix can be set, which will survive a reboot. Notably, setting the persist.sys.input.log property to "yes" will cause the user's screen touches to be written to the logcat log by the InputDispatcher for all apps. The system-wide logcat log can be obtained from external storage, and with the READ EXTERNAL STORAGE permission, an app can access the log files containing the user's touch coordinates. These touch coordinates can be mapped to key presses on a keyboard with some effort.

Recommendations For the Vivo V7 device with a build fingerprint of vivo/1718/1718:7.1.2/N2G47H/compil11021857:user/release-keys, consider disabling the com.qualcomm.qti.modemtestmode.MbnTestService to prevent apps from setting system properties. For the com.qualcomm.qti.modemtestmode app version 7.1.2, avoid using the persist.sys.input.log property to prevent logging of user touch coordinates. Restrict access to external storage to minimize the risk of obtaining the system-wide logcat log. Avoid granting the READ EXTERNAL STORAGE permission to untrusted apps to prevent access to log files containing user touch coordinates. At the moment, there is no information about a newer version that contains a fix for this vulnerability.