Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Microsoft Finds Major Security Flaws in Pre-Installed Android Apps

Bug hunters at Microsoft are calling attention to several high-severity vulnerabilities in a mobile framework used in pre-installed Android System apps, warning that exploitation could have allowed the implantation of a persistent backdoor on Android devices.

Bug hunters at Microsoft are calling attention to several high-severity vulnerabilities in a mobile framework used in pre-installed Android System apps, warning that exploitation could have allowed the implantation of a persistent backdoor on Android devices.

According to an advisory released Friday by the Microsoft 365 Defender Research Team, a total of four documented vulnerabilities were found – and fixed – in a mobile framework owned by mce Systems, an Israeli company that provides software to mobile carriers.

“Coupled with the extensive system privileges that pre-installed apps have, these vulnerabilities could have been attack vectors for attackers to access system configuration and sensitive information,” Redmond warned.

As it is with many of pre-installed or default applications that ship on Android devices, Microsoft’s bug hunters warned that some of the affected apps cannot be fully uninstalled or disabled without gaining root access to the device. 

The researchers shared notes on the discovery of the four flaws –  CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601 – that expose millions of pre-loaded Android apps to malware attacks.

From the Microsoft advisory:

Our research on the framework vulnerabilities began while trying to better understand how a pre-installed System application could affect the overall security of mobile devices. We discovered that the framework, which is used by numerous apps, had a “BROWSABLE” service activity that an attacker could remotely invoke to exploit several vulnerabilities that could allow adversaries to implant a persistent backdoor or take substantial control over the device.

The framework seemed to be designed to offer self-diagnostic mechanisms to identify and resolve issues impacting the Android device, indicating its permissions were inherently broad with access to valuable resources. For example, the framework was authorized to access system resources and perform system-related tasks, like adjusting the device’s audio, camera, power, and storage controls. Moreover, we found that the framework was being used by default system applications to leverage its self-diagnostic capabilities, demonstrating that the affiliated apps also included extensive device privileges that could be exploited via the vulnerable framework.

The Redmond researchers say some of these vulnerabilities also affected other apps on both Android and iOS devices.   

[ READ: Microsoft Says Mac Trojan Becoming Stealthier, More Menacing ]

“All of the apps are available on the Google Play Store where they go through Google Play Protect’s automatic safety checks, but these checks previously did not scan for these types of issues,” Microsoft noted.

Details on the bugs were shared with the affected vendor last September 2021 and Microsoft said mce Systems sent an urgent framework update to the impacted providers and released fixes for the issues. 

“There have been no reported signs of these vulnerabilities being exploited in the wild,” MIcrosoft said.

The company also warned that several additional mobile carriers were found using the vulnerable framework with their respective apps, suggesting that there could be additional providers still undiscovered that may be impacted. 

Related: Microsoft Warns of ‘Nimbuspwn’ Security Flaws Haunting Linux

Related: Microsoft Says Mac Trojan Becoming Stealthier, More Menacing

Related: Microsoft Raises Alarm for New Windows Zero-Day Attacks

Related: Microsoft Flexes Security Vendor Muscles With Managed Services

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet