Multiple high-severity vulnerabilities were recently found in a mobile framework operating on the systems of Android devices, putting millions of users at risk. The Microsoft 365 Defender Research Team detected the flaws and published a report last Friday, May 27.
"High-severity Vulnerabilities"
The Microsoft 365 Defender Research Team has already discovered the vulnerabilities back in September last year. In a new blog post titled "Android apps with millions of downloads exposed to high-severity vulnerabilities", the team said that these flaws could have been used to initiate serious attacks on target devices, leading to partial device takeover and data theft.
They also noted that just like pre-installed or default applications in Android devices, affected apps will not be fully uninstalled or disabled without having root access to the device.
"Microsoft uncovered high-severity vulnerabilities in a mobile framework owned by mce Systems and used by multiple large mobile service providers in pre-installed Android System apps that potentially exposed users to remote (albeit complex) or local attacks," the team wrote in the blog post.
Microsoft added that affected apps "with millions of downloads" have already been fixed by all involved parties.
The team is currently tracking the following vulnerabilities: CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601. They all have severity scores ranging from 7.0 to 8.9 out of 10.
The Framework
The company also discovered that the framework, which was used by multiple apps, "had a 'BROWSABLE' service activity" that an attacker could remotely trigger to exploit multiple vulnerabilities and enable adversaries to "implant a persistent backdown" or take significant control over the device.
Furthermore, the framework appeared to be designed to offer self-diagnostic mechanisms which can identify and resolve problems affecting the Android device. According to Microsoft, this means that permissions were made to be "inherently broad" including access to valuable resources.
For instance, the framework was able to access systems in-camera, power, and storage controls. Microsoft also found that it was used by default system applications so that it can leverage its self-diagnostic capabilities.
The mce Systems and other mobile service providers who were affected have already been notified by Microsoft. All of the parties involved teamed up to fix the issues.
Google also helped them by updating its Play Protect service so that it can prevent the attack vectors.
Although Microsoft stated that there was no evidence of the flaws being exploited "in the wild", they noted that there could several undiscovered providers affected by the flaw.
"We will continue to work with the security community to share intelligence about threats and build better protection for all. Microsoft security researchers continually work to discover new vulnerabilities and threats," the research team said.
Related Article : Google Play Store's Android Apps Now Show Which of Them Has Accessibility Features
This article is owned by Tech Times
Written by Joaquin Victor Tacla