Microsoft Finds Security Flaws in Android Apps from Rogers, Bell, Telus, Freedom [Update]

Microsoft on Friday released a list of high-severity security vulnerabilities its researchers found in a framework shared by Android apps from several international mobile service providers — reports BleepingComputer.

The vulnerabilities, being tracked as  CVE-2021-42598CVE-2021-42599CVE-2021-42600, and CVE-2021-42601, were discovered in a mobile framework owned by mce Systems and used by Android apps distributed by multiple large telecom operators, including AT&T in the U.S., plus major carriers in Canada including Rogers, Telus, Bell and Freedom Mobile.

Apps affected by these bugs have millions of downloads on Google’s Play Store. These apps also come pre-installed on devices purchased from many of the affected carriers, increasing the risk of exploitation.

“The apps were embedded in the devices’ system image, suggesting that they were default applications installed by phone providers,” according to security researchers Jonathan Bar Or, Sang Shin Jung, Michael Peck, Joe Mansour, and Apurva Kumar of the Microsoft 365 Defender Research Team.

Microsoft’s team also noted that the Play Store was unable to detect these vulnerabilities. “All of the apps are available on the Google Play Store where they go through Google Play Protect’s automatic safety checks, but these checks previously did not scan for these types of issues,” the researchers said.

The discovered flaws exposed users to command injection and privilege escalation attacks. No instances of the vulnerabilities being exploited in the wild were reported, and all of the vendors Microsoft reached out to had patched them before they were made public.

However, the at-risk framework is shared by numerous other service providers, who may have not deployed countermeasures yet. “Several other mobile service providers were found using the vulnerable framework with their respective apps, suggesting that there could be additional providers still undiscovered that may be impacted,” the Microsoft research team added.

If users find an app with the com.mce.mceiotraceagent package name installed on their Android device, they are advised to immediately remove it to eliminate the possible attack vector. You might need root access to fully uninstall any such apps that came pre-installed on your device.

“Coupled with the extensive system privileges that pre-installed apps have, these vulnerabilities could have been attack vectors for attackers to access system configuration and sensitive information,” explained the researchers.

Earlier in the year, Microsoft researchers also discovered “powerdir,” a macOS vulnerability that risked giving attackers unauthorized access to a user’s protected data.

Last month, Microsoft patched more than 128 security vulnerabilities across its software product portfolio, including Windows, Defender, Office, Exchange Server, Visual Studio, and Print Spooler, among others.

Update June 1, 2022: According to Chethan Lakshman, Vice President, External Affairs, Shaw Communications, in an email to iPhone in Canada, the company stated, “we have been made aware of vulnerabilities existing within a mobile framework configuration owned by MCE Systems and used by default Android applications installed by some mobile carriers.”

Shaw says, “our teams have been informed by MCE Systems that the version of their mobile framework containing these vulnerabilities has never been used by Shaw, meaning our network and our customers are not at risk.”

“The mobile framework configuration in question has never been deployed within our network ecosystem and is therefore not present within the Android devices sold by Shaw to Freedom Mobile and Shaw Mobile customers,” added Lakshman.