Four very serious vulnerabilities have been revealed in a framework used by pre-installed Android System apps with millions of downloads.
The issues, now resolved by Israeli developer MCE Systems, could have allowed threats to perform remote and local attacks or be exploited as vectors to obtain sensitive information using their extended system privileges.
“As with many of the pre-installed or default applications that most Android devices ship today, some of the affected apps cannot be completely removed or disabled without gaining root access to the device,” the Microsoft 365 Defender Research Team said in a statement. . a report published Friday.
The weaknesses, which range from command injection to local privilege escalation, have the identifiers CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601, with CVSS scores between 7, 0 and 8.9.
|Command-injection proof-of-concept (POC) exploit code|
The vulnerabilities were discovered and reported in September 2021, and there is no evidence of the vulnerabilities being exploited in the wild.
Microsoft has not disclosed the full list of apps that use the vulnerable framework in question, which is designed to provide self-diagnostic mechanisms to identify and fix issues with an Android device.
This also meant that the framework had broad access rights, including those of audio, camera, stream, location, sensor data, and storage, to perform its functions. Coupled with the issues identified in the service, Microsoft said it could allow an attacker to implant persistent backdoors and take control.
Some of the apps affected are from major international mobile service providers such as Telus, AT&T, Rogers, Freedom Mobile and Bell Canada –
In addition, Microsoft recommends that users look for the “com.mce.mceiotraceagent” app package – an app that may have been installed by cell phone repair shops – and remove it from the phones if found.
The susceptible apps, although pre-installed by the phone carriers, are also available on the Google Play Store and would have passed the app storefront’s automatic security checks without raising red flags, as the process is not designed to address these issues. to watch out for, something that has since been remedied.