Microsoft uncovers high-severity vulnerabilities in Android apps with millions of downloads

Microsoft has uncovered high-severity vulnerabilities which affected Android apps with millions of downloads. The vulnerabilities have been fixed by all involved parties, the Microsoft 365 Defender Research Team said on Friday.

The vulnerabilities - identified as CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601 - were found in a mobile framework owned by Israeli firm mce Systems and used by multiple large mobile service providers in pre-installed Android System apps that potentially exposed users to remote (albeit complex) or local attacks.

The vulnerabilities could have been attacking vectors for attackers to access system configuration and sensitive information, the researchers noted.

All of the vulnerable Android apps, which were default applications installed by phone providers, are available on the Google Play Store where they go through Google Play Protect's automatic safety checks.

Microsoft discovered the vulnerabilities in September 2021 and shared findings with mce Systems and affected mobile service providers. The two companies worked closely to mitigate these vulnerabilities.

"We worked with mce Systems, the developer of the framework, and the affected mobile service providers to solve these issues. We commend the quick and professional resolution from the mce Systems engineering teams, as well as the relevant providers in fixing each of these issues, ensuring that users can continue using such a crucial framework," Microsoft said.

"We want to thank mce Systems’ engineering teams for collaborating quickly and efficiently in resolving these issues as well as to AT&T for proactively working with Microsoft to ensure customers can safely continue to use the framework," it added.

According to mce Systems, some of these vulnerabilities also affected other apps on both Android and iOS devices. Moreover, the vulnerable framework and affiliated apps were found on devices from large international mobile service providers. The Israeli firm also permitted providers to customize and brand their respective mobile apps and frameworks.

More information is available here.