Intent Injection in Kruger&Matz AppLock application
An application "com.pri.applock", which is pre-loaded on Kruger&Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data.
Exposed ”com.pri.applock.LockUI“ activity allows any other malicious application, with no granted Android system permissions, to inject an arbitrary intent with system-level privileges to a protected application. One must know the protecting PIN number (it might be revealed by exploiting CVE-2024-13916) or ask the user to provide it.
Only version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability.
Application update was released in April 2025.
Problem Types
| Type | CWE ID | Description |
|---|
| CWE | CWE-926 | CWE-926 Improper Export of Android Application Components |
Type: CWE
Description: CWE-926 Improper Export of Android Application Components
Metrics
| Version | Base score | Base severity | Vector |
|---|
| 4.0 | 8.3 | HIGH | CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
Version: 4.0
Base score: 8.3
Base severity: HIGH
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N