These security flaws could have endangered millions of Android phones

Google apps on an Android phone home screen
Google apps (Image credit: Jay Bonggolto / Android Central)

What you need to know

  • Microsoft has exposed serious vulnerabilities in pre-installed Android apps with millions of downloads.
  • The security flaws could have allowed attackers to inject backdoor access or gain control of millions of devices.
  • Google and other concerned parties have already patched the vulnerabilities.

A bunch of serious security flaws in a mobile framework used for pre-installed Android apps from various mobile service providers could have put millions of devices at risk. Microsoft has uncovered these vulnerabilities, which have since been patched.

The mobile framework affected is developed by mce Systems, an Israel-based provider of omnichannel device lifecycle management. Microsoft said it initially detected the security flaws in September 2021 and informed mce Systems as well as affected mobile service providers about its findings.

Microsoft identified the vulnerabilities as CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601, with a score of 7.0–8.9 (high-severity).

The vulnerabilities affected apps with millions of downloads, potentially exposing users to remote or local attacks. According to Microsoft's 365 Defender Research Team, the flaws could have given attackers backdoor access or allowed them to gain "substantial control" over vulnerable devices.

"Our analysis further found that the apps were embedded in the devices’ system image, suggesting that they were default applications installed by phone providers," Microsoft explained. "All of the apps are available on the Google Play Store where they go through Google Play Protect’s automatic safety checks, but these checks previously did not scan for these types of issues."

The security flaws have since been patched after Microsoft worked with mce Systems and Google. Android Central has contacted Google for comment and will update this article when we receive a response.

Fortunately, there's currently no evidence to suggest the vulnerabilities have been exploited in the wild. However, Microsoft warns that the vulnerable framework might still exist in apps from other telcos.

"Several other mobile service providers were found using the vulnerable framework with their respective apps, suggesting that there could be additional providers still undiscovered that may be impacted," the Redmond-based software giant said.

Microsoft added that Google Play Protect now scans for these types of vulnerabilities.

That said, it highlights the risks associated with pre-installed apps that ship with many of today's best Android phones and are impossible to remove without root access.

Jay Bonggolto
News Writer & Reviewer

Jay Bonggolto always keeps a nose for news. He has been writing about consumer tech and apps for as long as he can remember, and he has used a variety of Android phones since falling in love with Jelly Bean. Send him a direct message via Twitter or LinkedIn.