A framework used by pre-installed Android System applications with millions of downloads has four high severity vulnerabilities.
Threat actors might have leveraged the vulnerabilities, which have already been addressed by its Israeli creator MCE Systems, to launch remote and local attacks or be used as vectors to collect sensitive information by exploiting their vast system rights.
“Some of the afflicted applications cannot be completely removed or disabled without root access to the device, as it is with many of the pre-installed or default programmes that most Android devices come with these days,” according to a research published Friday by the Microsoft 365 Defender Research Team.
CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601, with CVSS scores ranging from 7.0 to 8.9, have been awarded to the vulnerabilities, which vary from command injection to local privilege escalation.
The flaws were discovered and reported in September 2021, and no evidence of them being exploited in the wild has been found.
The full list of applications that use the vulnerable framework in question, which is supposed to provide self-diagnostic methods to discover and resolve issues affecting an Android device, was not released by Microsoft.
This also meant that the framework had extensive access permissions to carry out its duties, including audio, camera, power, location, sensor data, and storage. When combined with the service’s flaws, Microsoft believes it might allow an attacker to install persistent backdoors and seize control.
Telus, AT&T, Rogers, Freedom Mobile, and Bell Canada are among the main international mobile service providers whose apps are impacted.
- Mobile Klinik Device Checkup (com.telus.checkup)
- Device Help (com.att.dh)
- MyRogers (com.fivemobile.myaccount)
- Freedom Device Care (com.freedom.mlp.uat), and
- Device Content Transfer (com.ca.bell.contenttransfer)
Additionally, Microsoft advises users to check their phones for the software package “com.mce.mceiotraceagent” – an app that may have been installed by mobile phone repair shops — and uninstall it if detected.
Although pre-installed by phone providers, the vulnerable apps are also available on the Google Play Store, where they are said to have passed the app storefront’s automatic safety checks without raising any red flags because the process was not designed to look for these issues, which has since been corrected.