CVE-2019-15416

Name of the Vulnerable Software and Affected Versions Sony keyaki kddi Android device with a build fingerprint of Sony/keyaki kddi/keyaki kddi:7.1.1/TONE3-3.0.0-KDDI-170517-0326/1:user/dev-keys

Description The issue concerns a pre-installed app with a package name of com.kddi.android.packageinstaller that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device that can obtain signatureOrSystem permissions required by other pre-installed apps that exported their capabilities to other pre-installed apps.

Recommendations For the Sony keyaki kddi Android device with the specified build fingerprint, consider restricting access to the com.kddi.android.packageinstaller app to minimize the risk of exploitation until a patch is available. As a temporary workaround, review and limit the permissions granted to pre-installed apps, especially those related to signatureOrSystem permissions, to reduce the potential for unauthorized app installations.