Microsoft Unveils ‘Severe’ Vulnerability Affecting Popular Android Apps

Microsoft reports that the vulnerabilities affect some iOS apps too, along with their Android counterparts.
Aaron Drapkin

Researchers at Microsoft have discovered a number of exploitable, highly severe vulnerabilities in an Android app framework used by mobile phone carriers.

Although all parties have been informed and the issues have reportedly been resolved, the fact these apps – many of them pre-installed – had such gaping security holes is concerning.

Although antivirus software can save your skin in a lot of instances, it’s crucial that you always update your software when new patches are released.

Which Apps Were Affected?

The vulnerabilities were found in a mobile framework developed and owned by mce systems, which is used by mobile phone carrier apps on Android phones.

Many of the mobile carrier apps affected come pre-installed on Android phones bought from the same carrier – although the apps are also available on the Play Store and have millions of downloads.

Companies affected by the vulnerability include AT&T, Rogers Communications, Freedom Mobile, TELUS, and Bell Canada. Together, they have millions of downloads and users.

What Type of Attacks Was the Framework Vulnerable to?

According to the Microsoft Defender blog, the issues leave users open to both “command injection” and “privilege escalation” attacks.

Command injection attacks do exactly as the name suggests – they let malicious actors execute arbitrary code inside a vulnerable system or network. Privilege escalation attacks, on the other hand, are designed to help hackers gain unauthorized (and elevated) access to parts of a system or network that are usually protected from most users.

“With the extensive system privileges that pre-installed apps have, these vulnerabilities could have been attack vectors for attackers to access system configuration and sensitive information” – Microsoft 365 Defender Research Team.

Microsoft says that “with the extensive system privileges that pre-installed apps have, these vulnerabilities could have been attack vectors for attackers to access system configuration and sensitive information.”

Analysis of an app affiliated with the mce system permissions, tells us about the permissions that could in theory provide dangerously extensive access to an attacker. This includes permissions relating to internet access, Wi-Fi and network states, Bluetooth, camera and audio access, as well as contact and account information.

The tech giant’s team also suggested that the issues could be exploited to orchestrate both remote and local attacks, although the former would be complex.

How Can I Protect Myself from Threats on Mobile?

Despite the fact that 50% of all website traffic now comes from mobile, often people associate online threats with laptops and desktops.

The widely-circulated half-truth that iPhones can’t get viruses hasn’t helped with this perception that you don’t need to make many security adjustments to your phone.

However, this is untrue. You can get viruses on whatever phone you have, regardless of the OS, and the more people use phones to surf the internet, the more frequent viruses will become. More and more business people now complete important work on their phones too, so the stakes have never really been higher.

So, ensure you have antivirus software for your mobile, and it’s a good idea to use password managers for accounts you have with apps, so at least a hacker won’t be able to recycle your credentials if they do compromise an account you own.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Aaron Drapkin is a Senior Writer at Tech.co. He has been researching and writing about technology, politics, and society in print and online publications since graduating with a Philosophy degree from the University of Bristol three years ago. As a writer, Aaron takes a special interest in VPNs and project management software. He has been quoted in the Daily Mirror, Daily Express, The Daily Mail, Computer Weekly, and the Silicon Republic speaking on various privacy and cybersecurity issues, and has articles published in Wired, Vice, Metro, The Week, and Politics.co.uk covering a wide range of topics.

Explore More See all news
close Building a Website? Get 50% off Wix premium plans until June 30 Claim 50% Off