CVE-2023-38297
📋 TL;DR
A vulnerable pre-installed Android app (com.factory.mmigroup) exposes system-level functionality to local third-party apps without requiring permissions. This allows malicious apps to execute AT commands, perform factory resets, leak device identifiers, and control device settings on affected Android devices from multiple manufacturers. The vulnerability affects specific device models from Samsung, T-Mobile, Boost Mobile, Realme, and Lenovo.
💻 Affected Systems
- Samsung Galaxy A03S
- T-Mobile Revvl 6 Pro 5G
- T-Mobile Revvl V+ 5G
- Boost Mobile Celero 5G
- Realme C25Y
- Lenovo Tab M8 HD
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise including arbitrary AT command execution (potentially enabling baseband attacks), permanent data loss via factory reset, and persistent device control.
Likely Case
Malicious apps stealing device identifiers (IMEI, serial numbers), disabling connectivity features, or performing disruptive actions like powering off devices.
If Mitigated
Limited information disclosure if app is removed or properly secured with access controls.
🎯 Exploit Status
Exploitation requires installing a malicious app but no user interaction beyond that; detailed research presented at DEF CON 31.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None provided in CVE
Restart Required: No
Instructions:
Contact device manufacturers/carriers for security updates; check for firmware updates specific to affected device models.
🔧 Temporary Workarounds
Disable or remove vulnerable app
androidUse ADB to disable or uninstall the com.factory.mmigroup package if device allows it
adb shell pm disable-user --user 0 com.factory.mmigroup
adb shell pm uninstall -k --user 0 com.factory.mmigroup
Restrict app installations
androidOnly install apps from trusted sources (Google Play Store) and disable unknown sources
🧯 If You Can't Patch
- Monitor for suspicious apps requesting no permissions but accessing system functions
- Consider device replacement if on affected models and security-critical use case
🔍 How to Verify
Check if Vulnerable:
Check if com.factory.mmigroup package exists and has versionCode 3: adb shell dumpsys package com.factory.mmigroup | grep versionCodeCheck Version:
adb shell dumpsys package com.factory.mmigroup | grep versionVerify Fix Applied:
Verify package is removed or disabled: adb shell pm list packages | grep factory.mmigroup📡 Detection & Monitoring
Log Indicators:
- Broadcast intents to com.factory.mmigroup/.MMIGroupReceiver
- AT command execution from non-system apps
- Unexpected factory reset or device identifier access
Network Indicators:
- Unusual baseband communication patterns if AT commands exploited
SIEM Query:
android_logs WHERE package_name = 'com.factory.mmigroup' AND intent_action CONTAINS 'broadcast'🔗 References
- https://media.defcon.org/DEF%20CON%2031/DEF%20CON%2031%20presentations/Ryan%20Johnson%20Mohamed%20Elsabagh%20Angelos%20Stavrou%20-%20Still%20Vulnerable%20Out%20of%20the%20Box%20Revisiting%20the%20Security%20of%20Prepaid%20Android%20Carrier%20Devices.pdf
- https://media.defcon.org/DEF%20CON%2031/DEF%20CON%2031%20presentations/Ryan%20Johnson%20Mohamed%20Elsabagh%20Angelos%20Stavrou%20-%20Still%20Vulnerable%20Out%20of%20the%20Box%20Revisiting%20the%20Security%20of%20Prepaid%20Android%20Carrier%20Devices.pdf
