Millions of Android devices affected by new security flaw that hides in pre-installed apps
Some of the vulnerable apps are still available on the Google Play Store. These apps have already passed the app storefront's automated security assessments
Published:Tue, June 28, 2022 3:52pm
By Danny Dcruze
Android devices have fallen prey to another vulnerability that has been accessed by pre-loaded applications on the smartphone. Microsoft has spotted four high-severity vulnerabilities used by pre-installed Android system apps with millions of downloads. The new vulnerabilities have been fixed but users need to update the applications in order to safeguard their personal data and device. The vulnerability has been fixed by Israeli developer MCE Systems.
How can it impact users?
The vulnerability can allow an attacker to launch remote and local attacks or be used as a vector to exploit system privileges to obtain sensitive information. The biggest issue with the new vulnerability is that it impacts some applications that come pre-installed with an Android device.
Microsoft 365 Defender Research Team said, "As it is with many of pre-installed or default applications that most Android devices come with these days, some of the affected apps cannot be fully uninstalled or disabled without gaining root access to the device."
The problems were listed in the Common Vulnerabilities and Exposures (CVE) of 2021, these are high-severity vulnerabilities, which are given a Common Vulnerability Scoring System (CVSS) score of 7.0-8.9.
According to a Microsoft blog post, the company discovered high-severity issues in a mobile framework owned by MCE Systems and utilised by many significant mobile service providers in pre-installed Android System applications. These might expose millions of users to both local and distant assaults. The vulnerabilities have security ratings ranging from 7.0 to 8.9 out of 10 which is considered High.
Microsoft's findings had shown that the mobile framework provides a service that may be used to allow attackers to implant a permanent backdoor or take significant control of the device. The technical and security teams at Microsoft and MCE Systems, both worked to address these issues. MCE Systems has managed to resolve the issue.
MCE resolved the problem by issuing an urgent framework update to the affected providers and releasing bug patches. So far, there haven't been any instances in the public where these vulnerabilities have been exploited. Google has announced that it has upgraded its Play Protect service to cover the threat routes.
What should users do?
Some of the vulnerable apps are still available on the Google Play Store. These apps have already passed the app storefront's automated security assessments.
Users can only apply updates to all their applications. This issue doesn't need a system-wide update. Only the pending app updates should be downloaded. A lot of users who do not allow app updates to download on cell-data, end up postponing the update, and waiting for a WiFi connection. In this case, users should update their apps, even if it means you have to do it on cellular data.