[German]The Microsoft 365 Defender Research Team has found some vulnerabilities in a mobile framework from mce Systems. The problem: This framework is used by some apps that mobile providers deliver preinstalled on their smartphones. Thus, millions of users were vulnerable via these apps. Even though Microsoft only investigated US mobile providers and they have updated the apps in the meantime, the incident once again shows how shaky the entire app model basically is due to the use of various frameworks.
The whole thing has already been published in this blog post a few days ago – I recently came across the issue via Twitter. The following tweet points out the discovered issue.
It is well known that mobile carriers install apps on devices that are then not completely uninstalled by the user (without root access) – this bloatware project has been known for a long time. South Korea has guide lines since 2015, saying, that smartphone manufacturers must allow the user to uninstall unused apps. Not much has happened since then.
Microsoft takes a closer look
The Microsoft 365 Defender Research Team has therefore looked at Android devices from US mobile providers (AT&T, TELUS, Rogers Communications, Bell Canada, and Freedom Mobile) to see whether the pre-installed apps have security vulnerabilities. In the process, the security researchers found something in a mobile framework from mce Systems, which is used by several major mobile providers in preinstalled Android system apps.
Background: the framework appeared to be designed to provide self-diagnostic mechanisms for identifying and fixing problems in the Android device. This means that the apps were granted appropriate permissions to access valuable resources. For example, the framework was authorized to access system resources and perform system-related tasks, such as setting the device's audio, camera, power and memory controls. In addition, the security researchers found that the framework was used by standard system applications to leverage its self-diagnostic capabilities. This showed that the associated applications also had extensive device privileges that could be exploited via a potentially vulnerable framework.
The analysis discovered several high-threat vulnerabilities CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601 (a "BROWSABLE" service activity is likely responsible), potentially leaving users vulnerable to (albeit complex) remote or local attacks. Combined with the extensive system privileges that pre-installed apps have, these vulnerabilities could have allowed attackers to access system configuration and sensitive information.
The details can be read in the Microsoft blog post Android apps with millions of downloads exposed to high-severity vulnerabilities. The discovered vulnerabilities have been ranked with a Common Vulnerability Scoring System (CVSS) score between 7.0 and 8.9. After Microsoft informed the developer of the framework in the fall of 2021, the vulnerabilities affecting apps with millions of downloads were fixed by all parties involved.