CVE-2018-14999

Name of the Vulnerable Software and Affected Versions Leagoo P1 device with a build fingerprint of sp7731c 1h10 32v4 bird:6.0/MRA58K/android.20170629.214736:user/release-keys

Description The device contains a pre-installed platform app with a package name of com.wtk.factory that has an exported broadcast receiver named com.wtk.factory.MMITestReceiver. This allows any app co-located on the device to initiate a factory reset programmatically without requiring any permissions. A factory reset will remove all user data and apps from the device, resulting in the loss of any data that have not been backed up or synced externally.

Recommendations For the Leagoo P1 device with the specified build fingerprint, consider disabling the com.wtk.factory.MMITestReceiver broadcast receiver to prevent unauthorized factory resets. Restrict access to the com.wtk.factory app to minimize the risk of exploitation. Avoid using apps that may leverage the unprotected app component of the pre-installed platform app to initiate a factory reset. At the moment, there is no information about a newer version that contains a fix for this vulnerability.