CVE-2023-38297

Name of the Vulnerable Software and Affected Versions com.factory.mmigroup version 2.1

Description An issue was discovered in the com.factory.mmigroup component, shipped on devices from multiple device manufacturers. Certain software builds for various Android devices contain a vulnerable pre-installed app that allows local third-party apps to perform various actions due to inadequate access control. The app executes as the system user, allowing it to interact with the baseband processor and perform sensitive actions. The following capabilities are exposed to zero-permission, third-party apps on various devices: arbitrary AT command execution via AT command injection, programmatic factory reset, leaking IMEI, leaking serial number, powering off the device, programmatically enabling/disabling airplane mode, and enabling Wi-Fi, Bluetooth, and GPS. No permissions or special privileges are necessary to exploit the vulnerabilities, and no user interaction is required beyond installing and running a third-party app.

Recommendations As a temporary workaround, consider disabling the com.factory.mmigroup app until a patch is available. Restrict access to the com.factory.mmigroup app to minimize the risk of exploitation. Avoid using the com.factory.mmigroup/.MMIGroupReceiver Intent until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.