Researchers at Microsoft have discovered a number of exploitable, highly severe vulnerabilities in an Android app framework used by mobile phone carriers.
Although all parties have been informed and the issues have reportedly been resolved, the fact these apps – many of them pre-installed – had such gaping security holes is concerning.
Although antivirus software can save your skin in a lot of instances, it’s crucial that you always update your software when new patches are released.
Which Apps Were Affected?
The vulnerabilities were found in a mobile framework developed and owned by mce systems, which is used by mobile phone carrier apps on Android phones.
Many of the mobile carrier apps affected come pre-installed on Android phones bought from the same carrier – although the apps are also available on the Play Store and have millions of downloads.
Companies affected by the vulnerability include AT&T, Rogers Communications, Freedom Mobile, TELUS, and Bell Canada. Together, they have millions of downloads and users.
What Type of Attacks Was the Framework Vulnerable to?
According to the Microsoft Defender blog, the issues leave users open to both “command injection” and “privilege escalation” attacks.
Command injection attacks do exactly as the name suggests – they let malicious actors execute arbitrary code inside a vulnerable system or network. Privilege escalation attacks, on the other hand, are designed to help hackers gain unauthorized (and elevated) access to parts of a system or network that are usually protected from most users.
“With the extensive system privileges that pre-installed apps have, these vulnerabilities could have been attack vectors for attackers to access system configuration and sensitive information” – Microsoft 365 Defender Research Team.
Microsoft says that “with the extensive system privileges that pre-installed apps have, these vulnerabilities could have been attack vectors for attackers to access system configuration and sensitive information.”
Analysis of an app affiliated with the mce system permissions, tells us about the permissions that could in theory provide dangerously extensive access to an attacker. This includes permissions relating to internet access, Wi-Fi and network states, Bluetooth, camera and audio access, as well as contact and account information.
The tech giant’s team also suggested that the issues could be exploited to orchestrate both remote and local attacks, although the former would be complex.
How Can I Protect Myself from Threats on Mobile?
Despite the fact that 50% of all website traffic now comes from mobile, often people associate online threats with laptops and desktops.
The widely-circulated half-truth that iPhones can’t get viruses hasn’t helped with this perception that you don’t need to make many security adjustments to your phone.
However, this is untrue. You can get viruses on whatever phone you have, regardless of the OS, and the more people use phones to surf the internet, the more frequent viruses will become. More and more business people now complete important work on their phones too, so the stakes have never really been higher.
So, ensure you have antivirus software for your mobile, and it’s a good idea to use password managers for accounts you have with apps, so at least a hacker won’t be able to recycle your credentials if they do compromise an account you own.