Microsoft researchers have found a series of serious vulnerabilities in the Android apps mobile service framework provided by MCE systems To make matters worse, these vulnerable Android apps have been downloaded millions of times in the official Google play app store, exposing users to major risks such as command injection and privilege escalation attacks.
(from: Microsoft security ) The
Related vulnerabilities include cve-2021-42598, cve-2021-42599, cve-2021-42600 and cve-2021-42601, and affect pre installed applications pre installed on customized mobile devices of telecom operators.
Jonathan bar or, sang Shin Jung, Michael peck, Joe Mansour and apurva Kumar, security researchers at Microsoft 365 defender, said:
These Android apps are embedded in the system image of the device, indicating that they are the default applications installed at the factory.
Affected operators include at& T. TELUS, Rogers communications, Bell Canada, and freedom mobile.
The embarrassing thing is that the relevant Android apps have escaped the Google play protect in the official Google App store.
To make matters worse, such default pre installed applications cannot be completely uninstalled or disabled without obtaining root access to the device.
(figure from: mce system ) The
Although before Microsoft publicly disclosed the relevant security vulnerabilities today, device manufacturers have fixed the relevant vulnerabilities to protect their customers from attacks.
However, some telecom enterprises / mobile service providers that provide terminal devices have not completely cleared up Android applications that use the same hidden danger service framework.
Microsoft added:
If someone with ulterior motives deploys hidden Android apps (package name: com.mce.mceiotraceagent) on the customer's device, other devices may also encounter such abuse and potential attacks.
Because these pre installed applications have extensive system permissions, related vulnerabilities may become an attack medium for attackers to access system configuration and other sensitive information.
In view of this, the researchers suggest that users who find that their devices have been installed with relevant Android apps should clean them up and apply the latest system security patches in time.
Finally, when bleepingcomputer contacted early Friday, Microsoft had not disclosed the complete list of affected Android apps and mobile operators.