Security Experts:

Microsoft Finds Major Security Flaws in Pre-Installed Android Apps

Bug hunters at Microsoft are calling attention to several high-severity vulnerabilities in a mobile framework used in pre-installed Android System apps, warning that exploitation could have allowed the implantation of a persistent backdoor on Android devices.

According to an advisory released Friday by the Microsoft 365 Defender Research Team, a total of four documented vulnerabilities were found – and fixed – in a mobile framework owned by mce Systems, an Israeli company that provides software to mobile carriers.

"Coupled with the extensive system privileges that pre-installed apps have, these vulnerabilities could have been attack vectors for attackers to access system configuration and sensitive information," Redmond warned.

As it is with many of pre-installed or default applications that ship on Android devices, Microsoft’s bug hunters warned that some of the affected apps cannot be fully uninstalled or disabled without gaining root access to the device. 

The researchers shared notes on the discovery of the four flaws –  CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601 – that expose millions of pre-loaded Android apps to malware attacks.

From the Microsoft advisory:

Our research on the framework vulnerabilities began while trying to better understand how a pre-installed System application could affect the overall security of mobile devices. We discovered that the framework, which is used by numerous apps, had a “BROWSABLE” service activity that an attacker could remotely invoke to exploit several vulnerabilities that could allow adversaries to implant a persistent backdoor or take substantial control over the device.


The framework seemed to be designed to offer self-diagnostic mechanisms to identify and resolve issues impacting the Android device, indicating its permissions were inherently broad with access to valuable resources. For example, the framework was authorized to access system resources and perform system-related tasks, like adjusting the device’s audio, camera, power, and storage controls. Moreover, we found that the framework was being used by default system applications to leverage its self-diagnostic capabilities, demonstrating that the affiliated apps also included extensive device privileges that could be exploited via the vulnerable framework.

The Redmond researchers say some of these vulnerabilities also affected other apps on both Android and iOS devices.   

[ READ: Microsoft Says Mac Trojan Becoming Stealthier, More Menacing ]

"All of the apps are available on the Google Play Store where they go through Google Play Protect’s automatic safety checks, but these checks previously did not scan for these types of issues," Microsoft noted.

Details on the bugs were shared with the affected vendor last September 2021 and Microsoft said mce Systems sent an urgent framework update to the impacted providers and released fixes for the issues. 

"There have been no reported signs of these vulnerabilities being exploited in the wild," MIcrosoft said.

The company also warned that several additional mobile carriers were found using the vulnerable framework with their respective apps, suggesting that there could be additional providers still undiscovered that may be impacted. 

Related: Microsoft Warns of 'Nimbuspwn' Security Flaws Haunting Linux

Related: Microsoft Says Mac Trojan Becoming Stealthier, More Menacing

Related: Microsoft Raises Alarm for New Windows Zero-Day Attacks

Related: Microsoft Flexes Security Vendor Muscles With Managed Services

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and Kaspersky GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world. Follow Ryan on Twitter @ryanaraine.