Four high-severity vulnerabilities have been exposed to the framework used by pre-installed Android system apps with millions of downloads.
Fixed by Israeli developer MCE Systems, this issue could allow an attacker to launch remote and local attacks or be used as a vector to exploit extensive system privileges to obtain sensitive information.
Here’s what Microsoft 365 Defender Research Team had to say about it.
"As it is with many of pre-installed or default applications that most Android devices come with these days, some of the affected apps cannot be fully uninstalled or disabled without gaining root access to the device,”
In this article, we will discuss all of these four vulnerabilities — what they are, how they could have impacted you, and what you can do to ensure safety at your end.
What Are These Four Vulnerabilities?
Listed in the Common Vulnerabilities and Exposures (CVE) of 2021, these are high-severity vulnerabilities, which are given a Common Vulnerability Scoring System (CVSS) score of 7.0-8.9.
- CVE-2021-42598 - Listed as a reserved vulnerability
- CVE-2021-42599 - Outdated command-injection vulnerability
- CVE-2021-42600 - Listed as a reserved vulnerability
- CVE-2021-42601 - Local elevation of privilege with deserialisation followed by injection
Android's Security Flaw & How it Impacted You
According to a Microsoft blog post, the company discovered high-severity issues in a mobile framework owned by MCE Systems and utilised by many significant mobile service providers in pre-installed Android System applications. These might expose millions of users to both local and distant assaults.
The aforementioned vulnerabilities — CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2921-42601 have security ratings ranging from 7.0 to 8.9 out of 10 which is considered High.
CVSS Score |
Qualitative Rating |
0.1 – 3.9 |
Low |
4.0 – 6.9 |
Medium |
7.0 – 8.9 |
High |
9.0 – 10.0 |
Critical |
The architecture allowed complete access to camera, audio, power, sensor data, location, and storage, among other things. But the good news is that MCE Systems, an Israeli developer, has now resolved the concerns.
Microsoft's Findings
According to Microsoft, this might allow attackers to install persistent backdoors and gain control of the compromised devices.
In their research, they found out that the mobile framework provides a service that may be used to allow attackers to implant a permanent backdoor or take significant control of the device.
The technical and security teams at Microsoft and MCE Systems both worked to address these issues. The latter resolved the problem by issuing an urgent framework update to the affected providers and releasing bug patches. No reports alleging that these security holes were exploited in the wild when the issue was reported.
Following this news, Google announced that it has upgraded its Play Protect service to cover the threat routes.
More Insights
Microsoft did not reveal the full list of apps that use the vulnerable technology but some of the apps affected were from major international mobile service providers including Telus, AT&T, Rogers, Freedom Mobile, and Bell Canada —
- Mobile Klinik Device Checkup
- Device Help
- MyRogers
- Freedom Device Care
- Device Content Transfer
It is also worth noting that the vulnerable apps are available on the Google Play Store. These apps have already passed the app storefront's automated security assessments with good numbers.
How Can You Ensure Safety at Your End?
Thankfully, app upgrades are all that’s required – no requirement for a phone system update.
Still, Microsoft advises users to search for the software bundle and uninstall it from their phones if it is discovered.
Microsoft also advises that certain repair shops install a programme with the package name com.mce.mceiotraceagent, which is vulnerable as well. If you discover it on your phone after a repair, make sure to uninstall it.
Conclusion
Microsoft disclosed information about potential exploits in a technical write-up after discovering the four security flaws in September 2021. The business stated that it worked with MCE Systems and mobile service providers to eliminate the danger.
In situations like these, it's evident that you're no longer the only owner of your gadget, even if services like these make it easier to set up your device. Without root access, it is impossible to delete these pre-installed apps off phones, thus, when a system app is afflicted by a vulnerability, all you can do is hope that it is resolved fast.