High-severity flaws in a framework used by Android apps from numerous major international mobile service providers have been discovered by Microsoft security experts.
The researchers discovered these flaws in a mobile framework owned by me Systems (recorded as CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601) that exposed users to command injection and privilege escalation attacks.
Affected telecommunications providers include AT&T, TELUS, Rogers Communications, Bell Canada, and Freedom Mobile. The susceptible apps have millions of downloads on Google’s Play Store and come pre-installed as system programs on devices purchased from them.
According to security researchers Jonathan Bar-Or, Sang Shin Jung, Michael Peck, Joe Mansour, and Apurva Kumar of the Microsoft 365 Defender Research Team, “The apps were incorporated in the devices’ system image, suggesting that they were default programs installed by phone providers.”
“All of the apps are accessible through the Google Play Store, where they undergo Google Play Protect’s automatic safety checks; however, these checks did not previously look for these specific problems.
Some of the impacted apps cannot be fully deleted or disabled without getting root access to the device, as is the case with many of the pre-installed or default programs that the majority of Android devices now come with.
vulnerabilities patched by all vendors involved
Apps from other telecoms use the same flawed architecture, even though the vendors Microsoft contacted had already updated their apps to fix the problems before the security flaws were made public today to protect their customers from assaults.
The researchers noted that they had spotted “a number of other mobile service providers employing the vulnerable framework with their own apps, suggesting that there may be further providers still undiscovered that may be impacted.”
Microsoft added that if an Android software with the package name com. me.mceiotraceagent was installed “by numerous mobile phone repair shops,” some Android devices may also be vulnerable to attacks that attempt to exploit these issues.
It is urged that users who discover this software installed on their phones remove it right once to close the attack vector.
All parties involved have addressed the flaws that affected apps with millions of downloads, according to the researchers.
These flaws “may have been attacking avenues for attackers to obtain system configuration and sensitive information,” when coupled with the significant system privileges that pre-installed apps have.
When BleepingComputer contacted Microsoft earlier today, they didn’t respond to a request for releasing the full list of impacted apps and mobile service providers.