Microsoft security researchers have found high severity vulnerabilities in a framework used by Android apps from multiple large international mobile service providers.
The researchers found these vulnerabilities (tracked as CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601) in a mobile framework owned by mce Systems exposing users to command injection and privilege escalation attacks .
The vulnerable apps have millions of downloads on Google’s Play Store and come pre-installed as system applications on devices bought from affected telecommunications operators, including AT&T, TELUS, Rogers Communications, Bell Canada, and Freedom Mobile.
“The apps were embedded in the devices’ system image, suggesting that they were default applications installed by phone providers,” according to security researchers Jonathan Bar Or, Sang Shin Jung, Michael Peck, Joe Mansour, and Apurva Kumar of the Microsoft 365 Defender research team.
“All of the apps are available on the Google Play Store where they go through Google Play Protect’s automatic safety checks, but these checks previously did not scan for these types of issues.
“As it is with many of pre-installed or default applications that most Android devices come with these days, some of the affected apps cannot be fully uninstalled or disabled without gaining root access to the device.”
Vulnerabilities fixed by all vendors involved
While the vendors Microsoft reached out to have already updated their apps to address the bugs before the security flaws were disclosed today to protect their customers from attacks, apps from other telcos also use the same buggy framework.
“Several other mobile service providers were found using the vulnerable framework with their respective apps, suggesting that there could be additional providers still undiscovered that may be impacted,” the researchers added.
Microsoft added that some Android devices might also be exposed to attacks trying to abuse these flaws if an Android app (with the com.mce.mceiotraceagent package name) was installed “by several mobile phone repair shops.”
Those who find this app installed on their device are advised to immediately remove it from their phones to remove the attack vector.
“The vulnerabilities, which affected apps with millions of downloads, have been fixed by all parties involved,” the researchers said.
“Coupled with the extensive system privileges that pre-installed apps have, these vulnerabilities could have been attack vectors for attackers to access system configuration and sensitive information.”
Microsoft didn’t reply to a request for sharing the complete list of affected apps and mobile providers when BleepingComputer reached out earlier today.