CVE-2018-15004

Name of the Vulnerable Software and Affected Versions Coolpad Canvas device with a build fingerprint of Coolpad/cp3636a/cp3636a:7.0/NRD90M/093031423:user/release-keys com.qualcomm.qti.modemtestmode version 7.0 com.yulong.logredirect version 5.25 20160622 01

Description The issue allows any app on the device to set certain system properties as the com.android.phone user, potentially enabling logging of sensitive information. By setting the persist.service.logr.enable system property to 1, an app can initiate writing of system-wide logcat logs, kernel logs, and tcpdump network traffic captures to external storage. This could include logging of outgoing text message details such as destination phone numbers and message bodies. Logging can be done without notification if enabled after device startup and disabled before shutdown.

Recommendations For the Coolpad Canvas device, consider restricting access to the com.qualcomm.qti.modemtestmode.MbnTestService to prevent unauthorized setting of system properties. For apps with the READ EXTERNAL STORAGE permission, restrict access to external storage to minimize the risk of accessing log files. As a temporary workaround, consider disabling the com.qualcomm.qti.modemtestmode app until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.