Microsoft has publicly disclosed a series of vulnerabilities in a mobile framework used in Android apps “with millions of downloads” that could have exposed their users to attacks.
The company says it “uncovered high-severity vulnerabilities in a mobile framework owned by mce Systems and used by multiple large mobile service providers in pre-installed Android System apps that potentially exposed users to remote (albeit complex) or local attacks.”
The vulnerabilities have been identified as CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601; Microsoft says the flaws have received Common Vulnerability Scoring System (CVSS) scores between 7.0-8.9 out of 10.
The company says that mce Systems’ mobile framework includes a service that an attacker “could remotely invoke to exploit several vulnerabilities that could allow adversaries to implant a persistent backdoor or take substantial control over the device.”
Microsoft says it discovered the security flaws in September 2021. It then informed mce Systems and “the affected mobile service providers” of the vulnerabilities and collaborated with those companies to mitigate the problems so the relevant apps couldn’t be exploited by hackers.
“We worked closely with mce Systems’ security and engineering teams to mitigate these vulnerabilities,” Microsoft says, “which included mce Systems sending an urgent framework update to the impacted providers and releasing fixes for the issues. At the time of publication, there have been no reported signs of these vulnerabilities being exploited in the wild.”
The company also informed Google of these security flaws. Google reportedly responded by updating Google Play Protect, which Google says Android users can use to “help keep your apps safe and your data private,” to detect vulnerabilities of this nature.
But the full extent of these vulnerabilities isn’t known. Microsoft says that “there could be additional providers still undiscovered that may be impacted” by these flaws, and notes that “several mobile phone repair shops” may have installed a vulnerable app on customers’ devices. Android users have been advised to look for that app and remove it from their phones.
More information about the vulnerabilities—including the part of mce Systems’ mobile framework affected, how they could have been exploited, and more—is available via Microsoft’s report.