Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Microsoft Finds Major Security Flaws in Pre-Installed Android Apps

Bug hunters at Microsoft are calling attention to several high-severity vulnerabilities in a mobile framework used in pre-installed Android System apps, warning that exploitation could have allowed the implantation of a persistent backdoor on Android devices.

Bug hunters at Microsoft are calling attention to several high-severity vulnerabilities in a mobile framework used in pre-installed Android System apps, warning that exploitation could have allowed the implantation of a persistent backdoor on Android devices.

According to an advisory released Friday by the Microsoft 365 Defender Research Team, a total of four documented vulnerabilities were found – and fixed – in a mobile framework owned by mce Systems, an Israeli company that provides software to mobile carriers.

“Coupled with the extensive system privileges that pre-installed apps have, these vulnerabilities could have been attack vectors for attackers to access system configuration and sensitive information,” Redmond warned.

As it is with many of pre-installed or default applications that ship on Android devices, Microsoft’s bug hunters warned that some of the affected apps cannot be fully uninstalled or disabled without gaining root access to the device. 

The researchers shared notes on the discovery of the four flaws –  CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601 – that expose millions of pre-loaded Android apps to malware attacks.

From the Microsoft advisory:

Our research on the framework vulnerabilities began while trying to better understand how a pre-installed System application could affect the overall security of mobile devices. We discovered that the framework, which is used by numerous apps, had a “BROWSABLE” service activity that an attacker could remotely invoke to exploit several vulnerabilities that could allow adversaries to implant a persistent backdoor or take substantial control over the device.


The framework seemed to be designed to offer self-diagnostic mechanisms to identify and resolve issues impacting the Android device, indicating its permissions were inherently broad with access to valuable resources. For example, the framework was authorized to access system resources and perform system-related tasks, like adjusting the device’s audio, camera, power, and storage controls. Moreover, we found that the framework was being used by default system applications to leverage its self-diagnostic capabilities, demonstrating that the affiliated apps also included extensive device privileges that could be exploited via the vulnerable framework.

Advertisement. Scroll to continue reading.

The Redmond researchers say some of these vulnerabilities also affected other apps on both Android and iOS devices.   

[ READ: Microsoft Says Mac Trojan Becoming Stealthier, More Menacing ]

“All of the apps are available on the Google Play Store where they go through Google Play Protect’s automatic safety checks, but these checks previously did not scan for these types of issues,” Microsoft noted.

Details on the bugs were shared with the affected vendor last September 2021 and Microsoft said mce Systems sent an urgent framework update to the impacted providers and released fixes for the issues. 

“There have been no reported signs of these vulnerabilities being exploited in the wild,” MIcrosoft said.

The company also warned that several additional mobile carriers were found using the vulnerable framework with their respective apps, suggesting that there could be additional providers still undiscovered that may be impacted. 

Related: Microsoft Warns of ‘Nimbuspwn’ Security Flaws Haunting Linux

Related: Microsoft Says Mac Trojan Becoming Stealthier, More Menacing

Related: Microsoft Raises Alarm for New Windows Zero-Day Attacks

Related: Microsoft Flexes Security Vendor Muscles With Managed Services

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.