Microsoft has recently revealed four vulnerabilities that are in high severity level under pre-installed Android apps with millions of user downloads found on most smartphones. The now-patched critical flaws could have enabled threat actors to launch cyberattacks through several vectors to steal users’ data.
From the tech giant’s post, they shared that most of the pre-installed applications in most Android devices could not be uninstalled without the user having root access to the device. Thus, the recently discovered bugs could have been harmful to users since most pre-installed apps are found with vulnerabilities.
With CVSS scores ranging from 7 to 8.9, the four critical flaws in the Android smartphones are CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601.
Since being discovered in September last year, Microsoft explained that they had found no indication that cybercriminals have abused the four critical flaws. Furthermore, the tech giant did not share the list of the compromised Android applications. Experts presume that the framework in question could have had broad access permission to perform its functions, such as the apps like camera, storage, audio, location, and sensor data.
Microsoft also added that the bugs could enable threat actors to inject malware and backdoors to hack the compromised apps on Android smartphones completely. Nonetheless, the tech firm shared that some of the affected applications include those from large mobile service providers AT&T, TELUS, Rogers, Bell Canada, and Freedom Mobile.
For the users who use Android smartphones, the tech giant strongly recommends to beware of the app package ‘com.mce.mceiotraceagent,’ an application that mobile phone repair shops could have installed on their device since it could be maliciously used. If found, the users must immediately remove it.
The Android phone providers typically install the applications on the devices; however, those apps can also be found on the Google Play Store. These pre-installed apps are said to have qualified for all automatic safety checks and have not been designed to flag security issues. Hence being exposed to critical flaws and eventually being patched.
Microsoft concluded that their collaboration with many industry experts had aided them in fixing such issues and will continue to work with the cybersecurity community to better detect and establish improved security for all users.
