Microsoft on Friday released a list of high-severity security vulnerabilities its researchers found in a framework shared by Android apps from several international mobile service providers — reports BleepingComputer.
The vulnerabilities, being tracked as CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601, were discovered in a mobile framework owned by mce Systems and used by Android apps distributed by multiple large telecom operators, including AT&T in the U.S., plus major carriers in Canada including Rogers, Telus, Bell and Freedom Mobile.
Apps affected by these bugs have millions of downloads on Google’s Play Store. These apps also come pre-installed on devices purchased from many of the affected carriers, increasing the risk of exploitation.
“The apps were embedded in the devices’ system image, suggesting that they were default applications installed by phone providers,” according to security researchers Jonathan Bar Or, Sang Shin Jung, Michael Peck, Joe Mansour, and Apurva Kumar of the Microsoft 365 Defender Research Team.
Microsoft’s team also noted that the Play Store was unable to detect these vulnerabilities. “All of the apps are available on the Google Play Store where they go through Google Play Protect’s automatic safety checks, but these checks previously did not scan for these types of issues,” the researchers said.
The discovered flaws exposed users to command injection and privilege escalation attacks. No instances of the vulnerabilities being exploited in the wild were reported, and all of the vendors Microsoft reached out to had patched them before they were made public.
However, the at-risk framework is shared by numerous other service providers, who may have not deployed countermeasures yet. “Several other mobile service providers were found using the vulnerable framework with their respective apps, suggesting that there could be additional providers still undiscovered that may be impacted,” the Microsoft research team added.
If users find an app with the com.mce.mceiotraceagent package name installed on their Android device, they are advised to immediately remove it to eliminate the possible attack vector. You might need root access to fully uninstall any such apps that came pre-installed on your device.
“Coupled with the extensive system privileges that pre-installed apps have, these vulnerabilities could have been attack vectors for attackers to access system configuration and sensitive information,” explained the researchers.
Earlier in the year, Microsoft researchers also discovered “powerdir,” a macOS vulnerability that risked giving attackers unauthorized access to a user’s protected data.
Last month, Microsoft patched more than 128 security vulnerabilities across its software product portfolio, including Windows, Defender, Office, Exchange Server, Visual Studio, and Print Spooler, among others.
Update June 1, 2022: According to Chethan Lakshman, Vice President, External Affairs, Shaw Communications, in an email to iPhone in Canada, the company stated, “we have been made aware of vulnerabilities existing within a mobile framework configuration owned by MCE Systems and used by default Android applications installed by some mobile carriers.”
Shaw says, “our teams have been informed by MCE Systems that the version of their mobile framework containing these vulnerabilities has never been used by Shaw, meaning our network and our customers are not at risk.”
“The mobile framework configuration in question has never been deployed within our network ecosystem and is therefore not present within the Android devices sold by Shaw to Freedom Mobile and Shaw Mobile customers,” added Lakshman.
Want to see more of our stories on Google?
P.S. Want to keep this site truly independent? Support us by buying us a beer, treating us to a coffee, or shopping through Amazon here. Links in this post are affiliate links, so we earn a tiny commission at no charge to you. Thanks for supporting independent Canadian media!
However opaque it may be to the users… Apple’s carrier profile system should definitely be the standard other operating systems should use for carrier deployment.
I’d be ok with a setup where after activation it has a splash screen suggesting a list of apps provided by the carrier via the carrier profile.
Aside from hardware differences here and there (due to carrier band differences and the like), phones should be untouched and interchangeable from the manufacturer, through the carrier and to the consumer.
And I realize that doesn’t actually solve the issue here, but at least it puts the onus on the user to actually install this garbageware
One of the things people likes about the original iPhone was the lack of carrier pre-installed bloatware. This is a reminder of one of reasons why.
One of the things people likes about the original iPhone was the lack of carrier pre-installed bloatware. This is a reminder of one of reasons why.
Microsoft’s team also noted that the Play Store was unable to detect these vulnerabilities
———
If the tekkies at Play Store cannot find these vulnerabilities, how are hackers finding them? Are hackers that much more keen than Google’s employees?