Critical bugs in Android apps from major Mobile providers
Security researchers at Microsoft have detected high severity vulnerabilities in a framework used by Android apps from multiple major international mobile service providers.
These researchers found the flaws (tracked as CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601) in a mobile framework owned by mce Systems exposing users to command injection and privilege escalation attacks. These vulnerable have millions of downloads on Google’s Play Store and come pre-installed as system applications on most devices bought from affected telecommunication operators, including AT&T, TELLUS, Rogers Communications, Bell Canada and Freedom Mobile.
“The apps were embedded in the devices’ system image, suggesting that they were default applications installed by phone providers,” according to security researchers Jonathan Bar Or, Sang Shin Jung, Michael Peck, Joe Mansour, and Apurva Kumar of the Microsoft 365 Defender Research Team. “All of the apps are available on the Google Play Store where they go through Google Play Protects automatic safety checks, but these checks previously did not scan for these types of issues. “As it is with many of pre-installed or default applications that most Android devices come with these days, some of the affected apps cannot be fully uninstalled or disabled without gaining root access to the device.”
Microsoft added that some Android devices might also be exposed to threats trying to abuse these flaws if an Android app (with the com.mce.mceiotraceagent package name) was installed “by several mobile phone repair shops.” It is advised that if these apps are installed on your device, to immediately uninstall it from the phone to remove the attack vector. “The vulnerabilities, which affected apps with millions of downloads, have been fixed by all involved parties,” the researchers said. “Coupled with the extensive system privileges that pre-installed apps have, these vulnerabilities could have been attack vectors for attackers to access system configuration and sensitive information.”