Microsoft Discovers Security Flaws In Pre-installed Android Apps

Four high-severity vulnerabilities have been exposed to the framework used by pre-installed Android system apps with millions of downloads.

Fixed by Israeli developer MCE Systems, this issue could allow an attacker to launch remote and local attacks or be used as a vector to exploit extensive system privileges to obtain sensitive information.

Here’s what Microsoft 365 Defender Research Team had to say about it.

"As it is with many of pre-installed or default applications that most Android devices come with these days, some of the affected apps cannot be fully uninstalled or disabled without gaining root access to the device,”

In this article, we will discuss all of these four vulnerabilities — what they are, how they could have impacted you, and what you can do to ensure safety at your end.

What Are These Four Vulnerabilities?

Listed in the Common Vulnerabilities and Exposures (CVE) of 2021, these are high-severity vulnerabilities, which are given a Common Vulnerability Scoring System (CVSS) score of 7.0-8.9.

  • CVE-2021-42598 - Listed as a reserved vulnerability
  • CVE-2021-42599 - Outdated command-injection vulnerability
  • CVE-2021-42600 - Listed as a reserved vulnerability
  • CVE-2021-42601 - Local elevation of privilege with deserialisation followed by injection

Android's Security Flaw & How it Impacted You

According to a Microsoft blog post, the company discovered high-severity issues in a mobile framework owned by MCE Systems and utilised by many significant mobile service providers in pre-installed Android System applications. These might expose millions of users to both local and distant assaults.

The aforementioned vulnerabilities — CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2921-42601 have security ratings ranging from 7.0 to 8.9 out of 10 which is considered High.

CVSS Score

Qualitative Rating

0.1 – 3.9


4.0 – 6.9


7.0 – 8.9


9.0 – 10.0


The architecture allowed complete access to camera, audio, power, sensor data, location, and storage, among other things. But the good news is that MCE Systems, an Israeli developer, has now resolved the concerns.

Microsoft's Findings

According to Microsoft, this might allow attackers to install persistent backdoors and gain control of the compromised devices.

In their research, they found out that the mobile framework provides a service that may be used to allow attackers to implant a permanent backdoor or take significant control of the device.

The technical and security teams at Microsoft and MCE Systems both worked to address these issues. The latter resolved the problem by issuing an urgent framework update to the affected providers and releasing bug patches. No reports alleging that these security holes were exploited in the wild when the issue was reported.

Following this news, Google announced that it has upgraded its Play Protect service to cover the threat routes.

More Insights

Microsoft did not reveal the full list of apps that use the vulnerable technology but some of the apps affected were from major international mobile service providers including Telus, AT&T, Rogers, Freedom Mobile, and Bell Canada —

  • Mobile Klinik Device Checkup
  • Device Help
  • MyRogers
  • Freedom Device Care
  • Device Content Transfer

It is also worth noting that the vulnerable apps are available on the Google Play Store. These apps have already passed the app storefront's automated security assessments with good numbers.

How Can You Ensure Safety at Your End?

Thankfully, app upgrades are all that’s required – no requirement for a phone system update.

Still, Microsoft advises users to search for the software bundle and uninstall it from their phones if it is discovered.

Microsoft also advises that certain repair shops install a programme with the package name com.mce.mceiotraceagent, which is vulnerable as well. If you discover it on your phone after a repair, make sure to uninstall it.





Microsoft disclosed information about potential exploits in a technical write-up after discovering the four security flaws in September 2021. The business stated that it worked with MCE Systems and mobile service providers to eliminate the danger.

In situations like these, it's evident that you're no longer the only owner of your gadget, even if services like these make it easier to set up your device. Without root access, it is impossible to delete these pre-installed apps off phones, thus, when a system app is afflicted by a vulnerability, all you can do is hope that it is resolved fast.

Published on Jun 27, 2022
Manmesh Malhotra
Written by Manmesh Malhotra
Manmesh is Contributing Content Researcher at Appknox. He is a deck cadet who loves to keep up with advancements in cybersecurity by analysing online trends and communicating with subject matter experts.


Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now