Microsoft security researchers have found high-severity vulnerabilities in a framework used by Android apps from several major international wireless carriers.
Researchers found these vulnerabilities (tracked as CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601) in a mce Systems mobile framework that exposes users to command injection and privilege escalation.
The vulnerable apps are downloaded by the millions from the Google Play Store and are pre-installed as system applications on devices purchased from affected telecom operators, including AT&T, TELUS, Rogers Communications, Bell Canada and Freedom Mobile.
“The apps were embedded in the devices system image, suggesting they were standard applications installed by carriers,” Microsoft security researchers Jonathan Bar Or, Sang Shin Jung, Michael Peck, Joe Mansour and Apurva Kumar told 365 Defender Research Group.
“All apps are available on the Google Play Store, where they go through Google Play Protect’s automatic security checks, but these checks have not previously been investigated for these kinds of issues.
“As with many pre-installed or default applications provided by most Android devices these days, some of the affected apps cannot be completely uninstalled or disabled without gaining root access to the device.”
Vulnerabilities fixed by all participating vendors
While Microsoft vendors have already updated their apps to fix bugs before the vulnerabilities were revealed today to protect their customers from attacks, other telecom companies’ apps are also using the same flawed framework.
“Several other wireless carriers have been found to use the vulnerable framework with their respective apps, suggesting that there may be other undetected carriers that may be affected,” the researchers added.
Microsoft added that if an Android app (package name com.mce.mceiotraceagent) were installed “by multiple phone repair shops,” some Android devices could also be vulnerable to attacks attempting to exploit these flaws.
Those who find this app installed on their device should remove it from their phones immediately to remove the attack vector.
“Vulnerabilities affecting apps with millions of downloads have been addressed by all stakeholders,” the researchers said.
“Combined with the broad system privileges of pre-installed apps, these vulnerabilities could have been attack vectors for attackers to gain access to system configurations and sensitive information.”
Microsoft did not respond to a request to share the full list of affected apps and managers when BleepingComputer responded today.