Recently, a Microsoft research team discovered four high-severity vulnerabilities in a framework of Android system applications pre-installed by Israeli software developer MCE Systems. Worryingly, this batch of APPs has already reached millions of downloads in the official application store of Google Play.
"Because most Android devices today come with many pre-installed or default apps, without root access to the device, some affected applications cannot be completely uninstalled or disabled."
These related vulnerabilities could now allow threat actors to launch remote and local attacks, or be abused as vectors to gain access to sensitive information using their broad system privileges.
High-severity vulnerabilities in Android Apps: or pose a threat to cyberspace security
According to reports, the group of vulnerabilities discovered this time involves command injection, local privilege escalation, etc., and has been assigned identifiers: CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021 -42601 with a CVSS score between 7.0 and 8.9.
(“CVSS: Common Vulnerability Scoring System, an open industry standard designed to rate the severity of vulnerabilities and to help determine the urgency and importance of required responses. Provides a way to capture the main characteristics of vulnerabilities and generate indicators that reflect their severity. Methods of Numerical Scoring of Sexuality")
(command injection proof-of-concept (POC) attack code)
(Inject similar JavaScript code to WebView)
Some of these vulnerabilities were discovered and reported as early as September 2021, and there is currently no evidence that these flaws are being exploited.
This time around, the framework has broad access (including audio , camera, power, location, sensor data, and storage permissions to perform its functions).
Combined with the vulnerabilities found in the service, Microsoft said it could allow an attacker to plant a persistent backdoor and take over control.
Customers already affected by this batch of vulnerabilities include major international mobile service providers such as Telus, AT&T, Rogers, Freedom mobile and Bell Canada:
Mobile Klinik Device Checkup (com.telus.Checkup)
Device Help (com.att.dh)
MyRogers (com.fivemobile.myaccount)
Freedom Equipment Maintenance (com.Freedom.mlp.uat),
Device Content Transfer (com.ca.bell.contenttransfer)
These vulnerable Android Apps, although pre-installed by phone providers, can also be found on the Google Play Store.
Sadly, some of the affected Android Apps have "escaped" the Google Play Store's automatic security checks and cannot be uninstalled or disabled completely without rooting the device.
Although MCE Systems has fixed related vulnerabilities before Microsoft released this security vulnerability report, some telecommunications companies and mobile service providers that provide terminal devices have not yet been able to do anything to Android applications that use the same service framework. repair.
Therefore, Microsoft researchers recommend that users who have installed related Android Apps on their devices delete them immediately and download the latest system security patches.
In addition, Microsoft also advises users to keep an eye out for the application package "com.mce.mceiotraceagent", which is an application that may be installed by a mobile phone repair shop, and delete it from the phone immediately if found.
Reference link: https://thehackernews.com/2022/05/microsoft-finds-critical-bugs-in-pre.html
android
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。