May 30, 2022 19:00:00

Reveals the existence of high-severity vulnerabilities affecting millions of downloaded Android apps

This article, originally posted in Japanese on 19:00 May 30, 2022, may contains some machine-translated parts.
If you would like to suggest a corrected translation, please click here.

The mobile framework used in Android system apps that are pre-installed on devices by multiple carriers has a serious vulnerability that could expose users to remote and local attacks. Microsoft has revealed that. The app can also be downloaded from Google Play, and the number of DLs is said to be in the millions, but the vulnerability has already been fixed.

Android apps with millions of downloads exposed to high-severity vulnerabilities --Microsoft Security Blog

https://www.microsoft.com/security/blog/2022/05/27/android-apps-with-millions-of-downloads-exposed-to-high-severity-vulnerabilities/

Microsoft finds severe bugs in Android apps from large mobile providers
https://www.bleepingcomputer.com/news/security/microsoft-finds-severe-bugs-in-android-apps-from-large-mobile-providers/

The vulnerability was discovered in September 2021.

According to Microsoft, the vulnerability in question is in a mobile framework owned by mce Systems, which also uses apps pre-installed by telecommunications carriers such as AT & T, TELUS, Rogers Communications, Bell Canada, and Freedom Mobile as system apps. What exists. Some of the apps can be downloaded from Google Play, and the number of downloads is said to be in the millions.

Coupled with the wide range of system privileges that pre-installed apps have, they could be an attack medium for attackers to access system configurations and sensitive information.

There are four vulnerabilities:

CVE --CVE-2021-42598
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42598

CVE --CVE-2021-42599
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42599

CVE --CVE-2021-42600
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42600

CVE --CVE-2021-42601
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42601

Since some devices cannot be completely disabled or uninstalled without root privileges, Microsoft contacted mce Systems and target mobile service providers prior to disclosure and cooperated to address the vulnerability. It is said that it corresponded to the correction.

Related Posts:

May 30, 2022 19:00:00 in Mobile, Software, Security, Posted by logc_nt

Archives

Categories: Note; Headline; Review; Coverage; Interview; Tasting; Mobile; Software; Web Service; Web Application; Hardware; Vehicle; Science; Creature; Video; Movie; Manga; Anime; Game; Design; Art; Food; Security; Notice; Pick Up; Column

Search

<	3, 2025					>
Sun	Mon	Tue	Wed	Thu	Fri	Sat
23	24	25	26	27	28	1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30	31	1	2	3	4	5

<	3, 2025					>
Sun	Mon	Tue	Wed	Thu	Fri	Sat
23	24	25	26	27	28	1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30	31	1	2	3	4	5

<	3, 2025					>
Sun	Mon	Tue	Wed	Thu	Fri	Sat
23	24	25	26	27	28	1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30	31	1	2	3	4	5

<	3, 2025					>
Sun	Mon	Tue	Wed	Thu	Fri	Sat
23	24	25	26	27	28	1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30	31	1	2	3	4	5