CVE-2024-13916 is a medium-severity vulnerability affecting the com.pri.applock application pre-installed on Kruger&Matz smartphones, specifically version 13 (version code 33). This application is designed to allow users to encrypt other applications using a PIN code or biometric data for enhanced security. However, the vulnerability arises from an improperly exported Android application component, specifically the content provider com.android.providers.settings.fingerprint.PriFpShareProvider. The public method query() of this content provider is exposed without requiring any Android system permissions, allowing any malicious application installed on the device to invoke it and exfiltrate the user’s PIN code used for application encryption. This represents a CWE-926 (Improper Export of Android Application Components) weakness, where sensitive components are exposed to untrusted apps. The vulnerability does not require any user interaction, elevated privileges, or authentication, making exploitation relatively straightforward once a malicious app is installed on the device. The CVSS 4.0 base score is 6.9, reflecting a medium severity with local attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality (PIN code exposure). The vulnerability was confirmed in the tested version 13 of the app, and an update was released in April 2025 to address the issue. No known exploits are currently reported in the wild. The vulnerability compromises the confidentiality of sensitive user credentials (PIN codes), potentially allowing attackers to bypass app-level encryption and gain unauthorized access to protected applications and data on the affected smartphones.

For European organizations, especially those whose employees use Kruger&Matz smartphones with the vulnerable com.pri.applock version, this vulnerability poses a significant risk to the confidentiality of sensitive data. Attackers could deploy malicious applications to exfiltrate PIN codes used to encrypt apps, thereby bypassing user-level encryption controls. This could lead to unauthorized access to corporate apps, confidential communications, or sensitive personal data stored within encrypted apps. The impact is particularly critical for sectors handling sensitive information such as finance, healthcare, government, and critical infrastructure. Additionally, since the vulnerability requires no special permissions or user interaction, it increases the risk of stealthy compromise. Organizations relying on these devices for secure mobile access should be aware of potential data leakage risks and the possibility of lateral movement within corporate networks if compromised devices are connected to internal resources.

1. Immediate update: Organizations and users should ensure that the com.pri.applock application is updated to the patched version released in April 2025, which addresses the improper export of the content provider. 2. Application control: Implement mobile device management (MDM) policies to restrict installation of untrusted or unknown applications on Kruger&Matz devices to reduce the risk of malicious apps exploiting this vulnerability. 3. Device inventory and monitoring: Identify all Kruger&Matz smartphones in use and verify the installed version of com.pri.applock; prioritize patching or device replacement if updates are unavailable. 4. Network segmentation: Limit network access from mobile devices to sensitive corporate resources to reduce potential lateral movement if a device is compromised. 5. User awareness: Educate users on the risks of installing apps from untrusted sources and encourage vigilance regarding app permissions and behavior. 6. Consider alternative security solutions: Where feasible, replace or supplement com.pri.applock with more secure application encryption tools that follow best practices for component exposure and permission management.