Reveals the existence of high-severity vulnerabilities affecting millions of downloaded Android apps

The mobile framework used in Android system apps that are pre-installed on devices by multiple carriers has a serious vulnerability that could expose users to remote and local attacks. Microsoft has revealed that. The app can also be downloaded from Google Play, and the number of DLs is said to be in the millions, but the vulnerability has already been fixed.
Android apps with millions of downloads exposed to high-severity vulnerabilities --Microsoft Security Blog
https://www.microsoft.com/security/blog/2022/05/27/android-apps-with-millions-of-downloads-exposed-to-high-severity-vulnerabilities/

Microsoft finds severe bugs in Android apps from large mobile providers
https://www.bleepingcomputer.com/news/security/microsoft-finds-severe-bugs-in-android-apps-from-large-mobile-providers/
The vulnerability was discovered in September 2021.
According to Microsoft, the vulnerability in question is in a mobile framework owned by mce Systems, which also uses apps pre-installed by telecommunications carriers such as AT & T, TELUS, Rogers Communications, Bell Canada, and Freedom Mobile as system apps. What exists. Some of the apps can be downloaded from Google Play, and the number of downloads is said to be in the millions.
Coupled with the wide range of system privileges that pre-installed apps have, they could be an attack medium for attackers to access system configurations and sensitive information.
There are four vulnerabilities:
CVE --CVE-2021-42598
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42598
CVE --CVE-2021-42599
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42599
CVE --CVE-2021-42600
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42600
CVE --CVE-2021-42601
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42601
Since some devices cannot be completely disabled or uninstalled without root privileges, Microsoft contacted mce Systems and target mobile service providers prior to disclosure and cooperated to address the vulnerability. It is said that it corresponded to the correction.
Related Posts: