"Microsoft Finds Major Security Flaws in Pre-Installed Android Apps"

Bug hunters at Microsoft have discovered several high-severity vulnerabilities in a mobile framework used in pre-installed Android System apps. The researchers warn that exploitation could have allowed the implantation of a persistent backdoor on Android devices. A total of four documented vulnerabilities were found and fixed in a mobile framework owned by mce Systems, an Israeli company that provides software to mobile carriers. The bug hunters stated that coupled with the extensive system privileges that pre-installed apps have, these vulnerabilities could have been attack vectors for attackers to access system configuration and sensitive information. The bug hunters warned that some of the affected apps cannot be fully uninstalled or disabled without gaining root access to the device. The four flaws are CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601.  Details on the bugs were shared with the affected vendor last September 2021, and Microsoft said mce Systems sent an urgent framework update to the impacted providers and released fixes for the issues. There currently have been no reported signs of these vulnerabilities being exploited in the wild. The researchers also warned that several additional mobile carriers were found using the vulnerable framework with their respective apps, suggesting that additional providers still undiscovered could be impacted. 

SecurityWeek reports: "Microsoft Finds Major Security Flaws in Pre-Installed Android Apps"