June 24, 2024

Four high severity vulnerabilities have been disclosed in a framework used by pre-installed Android System apps with millions of downloads.

The issues, now fixed by its Israeli developer MCE Systems, could have potentially allowed threat actors to stage remote and local attacks or be abused as vectors to obtain sensitive information by taking advantage of their extensive system privileges.

“As it is with many of pre-installed or default applications that most Android devices come with these days, some of the affected apps cannot be fully uninstalled or disabled without gaining root access to the device,” the Microsoft 365 Defender Research Team said in a report published Friday.

The weaknesses, which range from command-injection to local privilege escalation, have been assigned the identifiers CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601, with CVSS scores between 7.0 and 8.9.

Command injection proof-of-concept (POC) exploit code
Injecting a similar JavaScript code to the WebView

The vulnerabilities were discovered and reported in September 2021 and there is no evidence that the shortcomings are being exploited in the wild.

Microsoft didn’t disclose the complete list of apps that use the vulnerable framework in question, which is designed to offer self-diagnostic mechanisms to identify and fix issues impacting an Android device.

This also meant that the framework had broad access permissions, including that of audio, camera, power, location, sensor data, and storage, to carry out its functions. Coupled with the issues identified in the service, Microsoft said it could permit an attacker to implant persistent backdoors and take over control.

Some of the affected apps are from large international mobile service providers such as Telus, AT&T, Rogers, Freedom Mobile, and Bell Canada –

Additionally, Microsoft is recommending users to look out for the app package “com.mce.mceiotraceagent” — an app that may have been installed by mobile phone repair shops — and remove it from the phones, if found.

The susceptible apps, although pre-installed by the phone providers, are also available on the Google Play Store and are said to have passed the app storefront’s automatic safety checks without raising any red flags because the process was not engineered to look out for these issues, something that has since been rectified.