Microsoft discovered numerous bugs in an Android framework that numerous service providers use for their pre-built apps. Hence, these vulnerabilities directly affected those pre-built Android apps, thereby affecting a huge number of users. While many vendors patched the bugs with their apps following Microsoft’s report. Still, the tech giant suspects that there could be many other vendors with unpatched apps.
Microsoft Highlights Bugs In Android Apps
Sharing the details in a recent post, Microsoft has highlighted multiple security bugs affecting the mce Systems Android framework. These bugs gained importance since numerous mobile vendors use that framework in their apps that come as pre-built apps.
That means those security bugs directly affected the security of a huge number of Android devices having those apps. And, the users couldn’t do anything in this regard since removing such apps requires root access.
Regarding this discovery, Microsoft stated in its post,
We discovered that the framework, which is used by numerous apps, had a “BROWSABLE” service activity that an attacker could remotely invoke to exploit several vulnerabilities that could allow adversaries to implant a persistent backdoor or take substantial control over the device.
Although, all the affected apps are available on Google Play Store. However, Microsoft explained that Google’s Play Protect can’t detect such bugs. Hence, users would stay unaware of any exploitable flaws in such apps.
Specifically, the Microsoft team noticed four different high-severity vulnerabilities, with CVSS scores of 7.0 to 8.9, affecting the framework. These bugs include CVE-2021-42598, CVE-2021-42599 (a command-injection vulnerability in the Device service), CVE-2021-42600, and CVE-2021-42601 – local privilege escalation with deserialization followed by injection).
Whereas, the apps affected by these vulnerabilities include,
- Mobile Klinik Device Checkup (telus.checkup) – Telus
- Device Help (att.dh) – AT&T Services Inc.
- MyRogers (fivemobile.myaccount) – Rogers Communications Inc.
- Freedom Device Care (freedom.mlp.uat) – Freedom Mobile Inc.
- Device Content Transfer (ca.bell.contenttransfer) – Bell Canada
All these vendors have fixed the bugs and released the updated app versions on the Play Store. Nonetheless, there could be additional vendors with vulnerable apps. Also, Microsoft advises users to look up the package com.mce.mceiotraceagent that mobile phone repair shops may install on their devices. If found, users should delete this vulnerable package.