Microsoft has publicly disclosed a series of vulnerabilities in a mobile framework used in Android apps “with millions of downloads” that could have left their users open to attack.
The company says(Opens in a new window) it “discovered very serious vulnerabilities in a mobile framework owned by mce Systems and used by several major mobile service providers in pre-installed Android system apps that potentially exposed users to remote (albeit complex) or local attacks”.
The vulnerabilities have been identified as CVE-2021-42598(Opens in a new window)CVE-2021-42599(Opens in a new window)CVE-2021-42600(Opens in a new window)and CVE-2021-42601(Opens in a new window); Microsoft says the flaws received Common Vulnerability Scoring System (CVSS) scores between 7.0 and 8.9 out of 10.
The company says mce Systems’ mobile framework includes a service that an attacker “could remotely invoke to exploit multiple vulnerabilities that could allow adversaries to implant a persistent backdoor or gain substantial control over the device.” .
Microsoft says it discovered the security flaws in September 2021. It then notified mce Systems and “affected mobile service providers” of the vulnerabilities and worked with those companies to mitigate the issues so that the affected applications could not be exploited by pirates.
“We worked closely with mce Systems’ security and engineering teams to mitigate these vulnerabilities,” Microsoft explains, “which included mce Systems sending an urgent framework update to affected vendors. and releasing fixes for issues. At the time of publication, there were no reported signs of these vulnerabilities being exploited in the wild.”
The company also informed Google about these security flaws. Google reportedly responded by updating Google Play Protect(Opens in a new window)which Google says Android users can use to “help keep your apps secure and your data private” to help detect vulnerabilities of this nature.
Recommended by our editors
But the full extent of these vulnerabilities is not known. Microsoft says that “there may be other as yet unknown vendors that may be affected” by these flaws, and notes that “several mobile phone repair shops” may have installed a vulnerable app on customer devices. Android users have been advised to find this app and remove it from their phones.
More information about the vulnerabilities, including which part of mce Systems’ mobile framework was affected, how they could have been exploited, and more, is available via Microsoft’s report.
Do you like what you read ?
Register for Security Watch newsletter for our top privacy and security stories delivered straight to your inbox.