Home>Blog>The Hacker News Headlines>Microsoft Finds Critical Bugs in Pre-Installed Apps on Millions of Android Devices
The Hacker News Headlines

Microsoft Finds Critical Bugs in Pre-Installed Apps on Millions of Android Devices

Four high severity vulnerabilities have been disclosed in a
framework used by pre-installed Android System apps with millions
of downloads.

The issues, now fixed by its Israeli developer MCE Systems,
could have potentially allowed threat actors to stage remote and
local attacks or be abused as vectors to obtain sensitive
information by taking advantage of their extensive system
privileges.

“As it is with many of pre-installed or default applications
that most Android devices come with these days, some of the
affected apps cannot be fully uninstalled or disabled without
gaining root access to the device,” the Microsoft 365 Defender
Research Team said[1]
in a report published Friday.

CyberSecurity

The weaknesses, which range from command-injection to local
privilege escalation, have been assigned the identifiers
CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601,
with CVSS scores between 7.0 and 8.9.

Command injection proof-of-concept (POC)
exploit code

Injecting a similar JavaScript code to the
WebView

The vulnerabilities were discovered and reported in September
2021 and there is no evidence that the shortcomings are being
exploited in the wild.

Microsoft didn’t disclose the complete list of apps that use the
vulnerable framework in question, which is designed to offer
self-diagnostic mechanisms to identify and fix issues impacting an
Android device.

This also meant that the framework had broad access permissions,
including that of audio, camera, power, location, sensor data, and
storage, to carry out its functions. Coupled with the issues
identified in the service, Microsoft said it could permit an
attacker to implant persistent backdoors and take over control.

CyberSecurity

Some of the affected apps are from large international mobile
service providers such as Telus, AT&T, Rogers, Freedom Mobile,
and Bell Canada –

Additionally, Microsoft is recommending users to look out for
the app package “com.mce.mceiotraceagent” — an app that may have
been installed by mobile phone repair shops — and remove it from
the phones, if found.

The susceptible apps, although pre-installed by the phone
providers, are also available on the Google Play Store and are said
to have passed the app storefront’s automatic safety checks without
raising any red flags because the process was not engineered to
look out for these issues, something that has since been
rectified.

References

  1. ^
    said
    (www.microsoft.com)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.