Microsoft has disclosed a series of vulnerabilities in a mobile framework used in Android apps “with millions of downloads” that could have exposed their users to attacks.
The company says:(Opens in a new window) it “discovered very serious vulnerabilities in a mobile framework owned by mce Systems and used by multiple major mobile service providers in pre-installed Android System apps that potentially exposed users to remote (albeit complex) or local attacks.”
The vulnerabilities have been identified as CVE-2021-42598(Opens in a new window)CVE-2021-42599(Opens in a new window)CVE-2021-42600(Opens in a new window)and CVE-2021-42601(Opens in a new window)† Microsoft says the errors have been awarded a Common Vulnerability Scoring System (CVSS) between 7.0-8.9 out of 10.
The company says mce Systems’ mobile framework includes a service that an attacker can “remotely use to exploit various vulnerabilities that could allow attackers to implant a persistent backdoor or gain substantial control over the device.”
Microsoft says it discovered the security flaws in September 2021. It then notified mce Systems and “affected mobile service providers” of the vulnerabilities and worked with those companies to fix the issues so that the relevant apps could not be exploited by hackers.
“We worked closely with mce Systems’ security and engineering teams to address these vulnerabilities,” Microsoft said, “including mce Systems who sent an urgent framework update to the affected providers and released fixes to the issues. publication There have been no reports of these vulnerabilities being exploited in the wild.”
The company has also notified Google of these security flaws. Google reportedly responded by updating Google Play Protect(Opens in a new window)which Google says Android users can “help keep your apps safe and your data private,” to detect vulnerabilities of this nature.
Recommended by our editors
But the full extent of these vulnerabilities is unknown. Microsoft says “there may be other carriers that have not yet been discovered” by these bugs, noting that “several cell phone repair shops” may have installed a vulnerable app on customers’ devices. Android users have been advised to search for that app and remove it from their phones.
More information about the vulnerabilities, including what part of the mce Systems mobile framework has been compromised, how they can be exploited and more, is available through Microsoft’s report.
Like what you read?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered straight to your inbox.
This newsletter may contain advertisements, offers or affiliate links. By subscribing to a newsletter, you indicate that you agree to our terms of use and privacy policy. You can unsubscribe from the newsletters at any time.
function facebookPixelScript() { if (!facebookPixelLoaded) { facebookPixelLoaded = true; document.removeEventListener('scroll', facebookPixelScript); document.removeEventListener('mousemove', facebookPixelScript);
!function(f,b,e,v,n,t,s){if(f.fbq)return;n=f.fbq=function(){n.callMethod? n.callMethod.apply(n,arguments):n.queue.push(arguments)};if(!f._fbq)f._fbq=n; n.push=n;n.loaded=!0;n.version='2.0';n.queue=[];t=b.createElement(e);t.async=!0; t.src=v;s=b.getElementsByTagName(e)[0];s.parentNode.insertBefore(t,s)}(window, document,'script','//connect.facebook.net/en_US/fbevents.js');
fbq('init', '454758778052139');
fbq('track', "PageView");
}
}
[title_words_as_hashtags
