Microsoft found several high-severity vulnerabilities in a mobile framework used in pre-installed Android System apps.
The Microsoft 365 Defender Research Team discovered four vulnerabilities (CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601) in a mobile framework, owned by mce Systems, that is used by several mobile carriers in pre-installed Android System apps.
The researchers discovered the flaws in September 2021 and reported them to mce Systems and affected mobile service providers through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR).
The experts pointed out that the vulnerabilities affected apps with millions of downloads, the good news is that the flaws have been fixed.
Threat actors could have abused these pre-installed apps to access system configuration and sensitive information.
“As it is with many of pre-installed or default applications that most Android devices come with these days, some of the affected apps cannot be fully uninstalled or disabled without gaining root access to the device. We worked with mce Systems, the developer of the framework, and the affected mobile service providers to solve these issues.” reads the post published by Microsoft.
The bad news is that some of the affected apps cannot be fully uninstalled or disabled without root access to the device.
The experts discovered that the framework had a “BROWSABLE” service activity that can be remotely invoked to exploit several vulnerabilities. Threat actors could exploit these issues to implant a persistent backdoor or take substantial control over the device.
The framework was designed to implement self-diagnostic mechanisms, for this reason