Four critical vulnerabilities in a framework used by pre-installed Android System applications with millions of downloads have been discovered.
The flaws, which have already been resolved by its Israeli creator MCE Systems, might have possibly allowed threat actors to orchestrate remote and local assaults or be utilized as vectors to collect sensitive information by using their vast system rights.
“As with many of the pre-installed or default applications that most Android devices come with these days,” the Microsoft 365 Defender Research Team noted in a research published Friday.
The vulnerabilities, which range from command injection to local privilege escalation, have been identified as CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601, with CVSS scores ranging from 7.0 to 8.9.
Command injection proof-of-concept (POC) exploit code |
Injecting a similar JavaScript code to the WebView |
The flaws were found and reported in September 2021, and there is no evidence that they are being used in the wild.
Microsoft did not provide the full list of applications that use the vulnerable framework in question, which is supposed to provide self-diagnostic tools for identifying and repairing flaws on an Android device.
This also meant that the framework had extensive access permissions to carry out its duties, including audio, camera, power, location, sensor data, and storage. In conjunction with the flaws revealed in the service, Microsoft stated that it might allow an attacker to implant persistent backdoors and gain control.
Apps from significant international mobile service providers such as Telus, AT&T, Rogers, Freedom Mobile, and Bell Canada are among those affected.
- Mobile Klinik Device Checkup (com.telus.checkup)
- Freedom Device Care (com.freedom.mlp.uat), and
- Device Content Transfer (com.ca.bell.contenttransfer)
- Device Help (com.att.dh)
- MyRogers (com.fivemobile.myaccount)
Furthermore, Microsoft advises users to search for the software package “com.mce.mceiotraceagent” – an app that may have been installed by mobile phone repair shops — and uninstall it from their phones if they find it.
Although pre-installed by phone providers, the vulnerable apps are also available on the Google Play Store and are said to have passed the app storefront’s automatic safety checks without raising any red flags because the process was not designed to look for these issues, which has since been corrected.