Cyber Security

Microsoft Finds Critical Bugs in Pre-Installed Apps on Millions of Android Devices

Four high severity vulnerabilities have been disclosed in a framework used by pre-installed Android System apps with millions of downloads.

The issues, now fixed by its Israeli developer MCE Systems, could have potentially allowed threat actors to stage remote and local attacks or be abused as vectors to obtain sensitive information by taking advantage of their extensive system privileges.

“As it is with many of pre-installed or default applications that most Android devices come with these days, some of the affected apps cannot be fully uninstalled or disabled without gaining root access to the device,” the Microsoft 365 Defender Research Team said in a report published Friday.


The weaknesses, which range from command-injection to local privilege escalation, have been assigned the identifiers CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601, with CVSS scores between 7.0 and 8.9.

Command injection proof-of-concept (POC) exploit code
Injecting a similar JavaScript code to the WebView

The vulnerabilities were discovered and reported in September 2021 and there is no evidence that the shortcomings are being exploited in the wild.

Microsoft didn’t disclose the complete list of apps that use the vulnerable framework in question, which is designed to offer self-diagnostic mechanisms to identify and fix issues impacting an Android device.

This also meant that the framework had broad access permissions, including that of audio, camera, power, location, sensor data, and storage, to carry out its functions. Coupled with the issues identified in the service, Microsoft said it could permit an attacker to implant persistent backdoors and take over control.


Some of the affected apps are from large international mobile service providers such as Telus, AT&T, Rogers, Freedom Mobile, and Bell Canada –

Additionally, Microsoft is recommending users to look out for the app package “com.mce.mceiotraceagent” — an app that may have been installed by mobile phone repair shops — and remove it from the phones, if found.

The susceptible apps, although pre-installed by the phone providers, are also available on the Google Play Store and are said to have passed the app storefront’s automatic safety checks without raising any red flags because the process was not engineered to look out for these issues, something that has since been rectified.

Products You May Like

Articles You May Like

Elon Musk Confirms 10 Percent Layoff in Tesla, Paused Hirings Ahead of Expected US Recession
Elon Musk clarifies Tesla will lay off 3.5% of total workforce as ex-employees sue company
Google Pledges Over Remunerating News Publishers Accepted by French Antitrust Body
Apple’s iOS 16 Will Enable Users to Bypass CAPTCHA Verification Prompt: Report
Fossil Gen 6 Hybrid Smartwatch to Launch on June 27 With Up to 2 Weeks of Battery Life

Leave a Reply

Your email address will not be published.