The vulnerabilities discovered by Microsoft in pre-installed Android System apps could have been attack vectors for threat actors to access system configuration and sensitive information.
Microsoft found what it called “high-severity vulnerabilities” in a mce Systems mobile framework, used by multiple large mobile service providers in pre-installed Android System apps.
The vulnerabilities, which affected apps with millions of downloads, have potentially exposed users to remote or local attacks and now have been fixed by all involved parties.
The company discovered the vulnerabilities, identified as CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601, in September 2021. These were high-severity vulnerabilities with a Common Vulnerability Scoring System (CVSS) score of 7.0-8.9 (out of 10).
“Based on our analysis of the mce framework, we discovered several vulnerabilities. It should be noted that while mobile service providers can customize their apps respective to mce framework so as not to be identical, the vulnerabilities we discovered can all be exploited in the same manner—by injecting code into the web view. Nonetheless, as their apps and framework customization use different configurations and versions, not all providers are necessarily vulnerable to all the discovered vulnerabilities,” Microsoft noted.
Microsoft said there had been no reported signs of these vulnerabilities being exploited in the wild at the time of publication.
The company pointed to AT&T as one of the service providers that might have been vulnerable, saying it proactively worked with Microsoft to “ensure customers can safely continue to use the framework.”
“Several other mobile service providers were found using the vulnerable framework with their respective apps, suggesting that there could be additional providers still undiscovered that may be impacted,” Microsoft said.
It also encouraged the customers of the affected providers to update to the latest versions of these apps from the Google Play store, which include but are not limited to: com.telus.checkup, com.att.dh, com.fivemobile.myaccount, com.freedom.mlp,uat, and com.ca.bell.contenttransfer.
More from Cybernews:
Subscribe to our newsletter