Microsoft finds serious bugs in major mobile providers’ Android apps

Microsoft security researchers have discovered high-severity vulnerabilities in a framework used by Android apps from several major international mobile service providers.

Researchers found these vulnerabilities (tracked as CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601) in a mobile framework owned by mce Systems exposing users to malware injection attacks. commands and privilege escalation. .

The vulnerable apps have millions of downloads on Google’s Play Store and come pre-installed as system apps on devices purchased from affected carriers, including AT&T, TELUS, Rogers Communications, Bell Canada and Freedom Mobile.

“The apps were embedded in the devices’ system image, suggesting they were default apps installed by phone providers,” according to security researchers Jonathan Bar Or, Sang Shin Jung, Michael Peck, Joe Mansour and Apurva Kumar from Microsoft 365 Defender. Research Team.

“All apps are available on the Google Play Store where they go through Google Play Protect’s automatic security checks, but those checks didn’t previously check for these types of issues.

“As is the case with many pre-installed or default apps that come with most Android devices these days, some of the affected apps cannot be fully uninstalled or disabled without gaining root access to the device.”

Vulnerabilities fixed by all vendors involved

While Microsoft vendors have reached out to have already updated their apps to fix bugs before the security flaws were disclosed today to protect their customers from attacks, apps from other telecom carriers are also using the same buggy framework.

“Several other mobile service providers have been found using the vulnerable framework with their respective apps, suggesting that there may be other as yet undiscovered providers that could be impacted,” the researchers added.

Microsoft added that some Android devices could also be exposed to attacks attempting to exploit these flaws if an Android application (with the package name com.mce.mceiotraceagent) was installed “by multiple mobile phone repair shops”.

Those who find this app installed on their device are advised to remove it from their phone immediately to remove the attack vector.

“The vulnerabilities, which affected apps with millions of downloads, have been patched by all parties involved,” the researchers said.

“Combined with the extended system privileges that pre-installed applications have, these vulnerabilities could have been attack vectors allowing attackers to gain access to system configuration and sensitive information.”

Microsoft did not respond to a request to share the full list of affected apps and mobile providers when contacted by BleepingComputer earlier today.

Previous Databases and software development: what legal issues?
Next Soul Hackers 2 for PS5, PS4, Xbox and PC reveals Pyro Jack (Jack O'Lantern) with new trailer