A couple of high-severity vulnerabilities were recently discovered in a mobile framework serving the Android (opens in new tab) operating systems, putting millions of people at risk.
The Microsoft 365 Defender Research Team, which discovered the flaws in September last year, says they could have been used to launch serious attacks on target devices, resulting in data theft and partial device takeover.
According to a new blog post (opens in new tab), Microsoft “uncovered high-severity vulnerabilities (opens in new tab) in a mobile framework owned by mce Systems and used by multiple large mobile service providers in pre-installed Android System apps that potentially exposed users to remote (albeit complex) or local attacks”.
The vulnerabilities are being tracked as CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601, with severity scores ranging from 7.0 to 8.9 out of 10.
Taking over the device
Further detailing its findings, Microsoft said the mobile framework includes a service that could be leveraged to “allow adversaries to implant a persistent backdoor or take substantial control over the device”.
The company notified both mce Systems and affected mobile service providers (some of which are “international”), and teamed up with them to work on a fix. All of the vulnerabilities have now been addressed, the blog states.
“We worked closely with mce Systems’ security and engineering teams to mitigate these vulnerabilities,” Microsoft said, “which included mce Systems sending an urgent framework update to the impacted providers and releasing fixes for the issues. At the time of publication, there have been no reported signs of these vulnerabilities being exploited in the wild”.
Google also pitched in, updating its Play Protect service to cover off the attack vectors.
While Microsoft says there is no evidence of the flaws being exploited in the wild, it did add that there could be more undiscovered providers affected by the flaw, including “several mobile phone repair shops” that might have installed vulnerable apps on people’s endpoints (opens in new tab).