Microsoft Details Severe Vulnerabilities in Pre-Installed Android Apps

pcmag.com:

Microsoft has publicly disclosed a series of vulnerabilities in a mobile framework used in Android apps "with millions of downloads" that could have exposed their users to attacks.

The company says(Opens in a new window) it "uncovered high-severity vulnerabilities in a mobile framework owned by mce Systems and used by multiple large mobile service providers in pre-installed Android System apps that potentially exposed users to remote (albeit complex) or local attacks."

The vulnerabilities have been identified as CVE-2021-42598(Opens in a new window), CVE-2021-42599(Opens in a new window), CVE-2021-42600(Opens in a new window), and CVE-2021-42601(Opens in a new window); Microsoft says the flaws have received Common Vulnerability Scoring System (CVSS) scores between 7.0-8.9 out of 10.

The company says that mce Systems' mobile framework includes a service that an attacker "could remotely invoke to exploit several vulnerabilities that could allow adversaries to implant a persistent backdoor or take substantial control over the device."

Microsoft says it discovered the security flaws in September 2021. It then informed mce Systems and "the affected mobile service providers" of the vulnerabilities and collaborated with those companies to mitigate the problems so the relevant apps couldn't be exploited by hackers.

"We worked closely with mce Systems’ security and engineering teams to mitigate these vulnerabilities," Microsoft says, "which included mce Systems sending an urgent framework update to the impacted providers and releasing fixes for the issues. At the time of publication, there have been no reported signs of these vulnerabilities being exploited in the wild."

The company also informed Google of these security flaws.