Serious security bugs put millions of Android devices at risk

The flaws have since been patched

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A couple of high-severity vulnerabilities were recently discovered in a mobile framework serving theAndroidoperating systems, putting millions of people at risk.

TheMicrosoft365 Defender Research Team, which discovered the flaws in September last year, says they could have been used to launch serious attacks on target devices, resulting in data theft and partial device takeover.

According to a newblog post, Microsoft “uncovered high-severityvulnerabilitiesin a mobile framework owned by mce Systems and used by multiple large mobile service providers in pre-installed Android System apps that potentially exposed users to remote (albeit complex) or local attacks”.

The vulnerabilities are being tracked as CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601, with severity scores ranging from 7.0 to 8.9 out of 10.

Share your thoughts on Cybersecurity and get a free copy of the Hacker’s Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at theend of this surveyto get the bookazine, worth $10.99/£10.99.

Taking over the device

Further detailing its findings, Microsoft said the mobile framework includes a service that could be leveraged to “allow adversaries to implant a persistent backdoor or take substantial control over the device".

The company notified both mce Systems and affected mobile service providers (some of which are  “international”), and teamed up with them to work on a fix. All of the vulnerabilities have now been addressed, the blog states.

Google fixes “critical” Android 12 security flaw>This Android security flaw could let hackers follow all your movements>Your Windows antivirus will now spot Android and iOS flaws too

“We worked closely with mce Systems’ security and engineering teams to mitigate these vulnerabilities,” Microsoft said, “which included mce Systems sending an urgent framework update to the impacted providers and releasing fixes for the issues. At the time of publication, there have been no reported signs of these vulnerabilities being exploited in the wild”.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Googlealso pitched in, updating its Play Protect service to cover off the attack vectors.

While Microsoft says there is no evidence of the flaws being exploited in the wild, it did add that there could be more undiscovered providers affected by the flaw, including “several mobile phone repair shops” that might have installed vulnerable apps on people’sendpoints.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Nokia confirms data breach leaked third-party code, but its data is safe

Rising AI threats are making firms turn back to human intelligence

Black Friday is here: Sony XM5 over-ears drop to their lowest-seen price – act fast!