Mobiles

Serious security bugs put millions of Android devices at risk: Check details

The high-severity vulnerabilities, which have a Common Vulnerability Scoring System (CVSS) score of 7.0-8.9, are now identified as CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601.

Published:Thu, June 02, 2022 2:03pm

By Md Waquar Haider

Advertisement

Microsoft uncovered high-severity vulnerabilities in a mobile framework owned by mce Systems and used by multiple large mobile service providers in pre-installed Android System apps that potentially exposed users to remote (albeit complex) or local attacks.

Also Read:

The vulnerabilities, which affected apps with millions of downloads, have been fixed by all involved parties. Coupled with the extensive system privileges that pre-installed apps have, these vulnerabilities could have been attack vectors for attackers to access system configuration and sensitive information.

Advertising
Advertising

"As it is with many of pre-installed or default applications that most Android devices come with these days, some of the affected apps cannot be fully uninstalled or disabled without gaining root access to the device. We worked with mce Systems, the developer of the framework, and the affected mobile service providers to solve these issues. We commend the quick and professional resolution from the mce Systems engineering teams, as well as the relevant providers in fixing each of these issues, ensuring that users can continue using such a crucial framework," the tech giant said in a statement.

The high-severity vulnerabilities, which have a Common Vulnerability Scoring System (CVSS) score of 7.0-8.9, are now identified as CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601.

Advertisement

According to Microsoft's 365 Defender Research Team, the flaws could have given attackers backdoor access or allowed them to gain "substantial control" over vulnerable devices.

"Our analysis further found that the apps were embedded in the devices' system image, suggesting that they were default applications installed by phone providers," Microsoft explained. "All of the apps are available on the Google Play Store where they go through Google Play Protect's automatic safety checks, but these checks previously did not scan for these types of issues."

Additionally, the package com.mce.mceiotraceagent might be installed by several mobile phone repair shops. Mobile users are advised to look for that app name and remove it from their phone, if found.

The security flaws have since been patched after Microsoft worked with mce Systems and Google.

For the latest tech news across the world, latest PC and Mobile games, tips & tricks, top-notch gadget reviews of most exciting releases follow BGR India’s Facebook, Twitter, subscribe our YouTube Channel.