Experts from the Microsoft 365 Defender Research Team have discovered four vulnerabilities in the framework used in pre-installed Android system applications that cannot be removed.
The problems already fixed by the Israeli developer of the MCE Systems framework allowed attackers to carry out remote and local attacks and obtain sensitive information using system privileges.
“As with many pre-installed and factory-installed applications on Android devices, some vulnerable applications cannot be completely uninstalled or disabled without superuser privileges on the device,” the experts said.
Vulnerabilities ranging from command injection to local privilege escalation were identified as CVE-2021-42598, CVE-2021-42599, CVE-2021-42600 and CVE-2021-42601.
The researchers did not provide a complete list of affected applications, but it is known that the vulnerable framework plays the role of a self-diagnosis mechanism to identify and fix problems on Android devices. This means that the framework has extensive access, including to audio, camera, power, location data, sensors and storage, which it needs for normal operation. Such access, coupled with the vulnerabilities described above, can allow hackers to introduce backdoors into devices and seize control over them.
Some of the affected apps belong to major telecom operators, including Telus, AT&T, Rogers, Freedom Mobile and Bell Canada:
Mobile Klinik Device Checkup (com.telus.checkup)
Device Help (com.att.dh)
Freedom Device Care (com.freedom.mlp.uat)
Device Content Transfer (com.ca.bell.contenttransfer)
In addition, Microsoft recommends that users check their devices for the com.mce.mceiotraceagent package, an application that can be installed in mobile phone repair shops. If a package is found, it must be deleted.