Android pre-installed apps are affected by high-severity vulnerabilities

Microsoft found several high-severity vulnerabilities in a mobile framework used in pre-installed Android System apps.

The Microsoft 365 Defender Research Team discovered four vulnerabilities (CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601) in a mobile framework, owned by mce Systems, that is used by several mobile carriers in pre-installed Android System apps.

The researchers discovered the flaws in September 2021 and reported them to mce Systems and affected mobile service providers through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR).

The experts pointed out that the vulnerabilities affected apps with millions of downloads, the good news is that the flaws have been fixed.

Threat actors could have abused these pre-installed apps to access system configuration and sensitive information.

“As it is with many of pre-installed or default applications that most Android devices come with these days, some of the affected apps cannot be fully uninstalled or disabled without gaining root access to the device. We worked with mce Systems, the developer of the framework, and the affected mobile service providers to solve these issues.” reads the post published by Microsoft.

The bad news is that some of the affected apps cannot be fully uninstalled or disabled without root access to the device. 

The experts discovered that the framework had a “BROWSABLE” service activity that can be remotely invoked to exploit several vulnerabilities. Threat actors could exploit these issues to implant a persistent backdoor or take substantial control over the device.

The framework was designed to implement self-diagnostic mechanisms, for this reason it runs with permissions to valuable resources. Microsoft experts highlight that affiliated apps also included extensive device privileges that could be exploited via the vulnerable framework.

“Our analysis further found that the apps were embedded in the devices’ system image, suggesting that they were default applications installed by phone providers. All of the apps are available on the Google Play Store where they go through Google Play Protect’s automatic safety checks, but these checks previously did not scan for these types of issues.” continues Microsoft. “As part of our effort to help ensure broad protection against these issues, we shared our research with Google, and Google Play Protect now identifies these types of vulnerabilities.”

mce Systems has fixed the issues and provided framework update to the impacted providers. The good news is that at the time of publication, the researchers are not aware of attacks in the wild exploring these vulnerabilities.

“Several other mobile service providers were found using the vulnerable framework with their respective apps, suggesting that there could be additional providers still undiscovered that may be impacted.” concludes the report.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Android pre-installed apps)

[adrotate banner=”5″]

[adrotate banner=”13″]