Microsoft experts have found four serious vulnerabilities in pre-installed Android applications, namely in the framework used by Android applications of several major international mobile service providers.
Vulnerabilities were discovered in the platform of mce Systems, an Israeli company that provides software for mobile operators.
Let me remind you that we also wrote that About 8% of apps in the Google Play Store are vulnerable to a bug in the Play Core library, and also that Google recruits a team of experts to find bugs in Android applications.
Issues scoring between 7 and 8.9 on the CVSS vulnerability rating scale range from command injection to local privilege escalation. They have been assigned the identifiers CVE-2021-42598, CVE-2021-42599, CVE-2021-42600 and CVE-2021-42601.
Vulnerable apps reportedly have millions of downloads on the Google Play Store and are pre-installed as system apps on many devices. Microsoft does not disclose the full list of applications that use the vulnerable platform, but writes that such applications can be found on devices purchased from carriers such as AT&T, TELUS, Rogers Communications, Bell Canada and Freedom Mobile.
Like many pre-installed or default apps that ship with most Android devices these days, some of the affected apps cannot be completely removed or disabled without root access to the device.Microsoft 365 Defender wrote.
All Microsoft vendors are reported to have updated their apps to fix bugs before the security bulletin was published, but other telecoms apps may be using the same problematic framework.
In addition, the researchers warn that other Android devices can also be attacked by these vulnerabilities if the com.mce.mceiotraceagent application, for example, is installed in a phone repair shop. Anyone who finds such an application on their device is advised to remove it immediately.