Android: 4 critical vulnerabilities discovered

Four high-severity vulnerabilities have been disclosed in a framework used by pre-installed applications of the android system, downloaded by the millions. The issues, now fixed by its Israeli developer MCE Systemscould have potentially allowed threat actors to stage local and remote attacks or be used as vectors to obtain sensitive information by taking advantage of their extended system privileges.

As is the case with many pre-installed or default apps on most Android devices these days, some of the affected apps cannot be fully uninstalled or disabled without gaining root access to the device.“, said the research team Microsoft 365 Defender in a report released Friday.

Weaknesses, which range from command injection to local privilege escalationreceived the identifiers CVE-2021-42598, CVE-2021-42599, CVE-2021-42600 and CVE-2021-42601, with CVSS scores between 7.0 and 8.9.


Code of the proof-of-concept exploit (POC) injection command and Injection a javascript similar in the Web View

The vulnerabilities were discovered and reported in September 2021 and there is no evidence that the flaws are being exploited in the wild. Microsoft did not disclose the full list of applications that use the vulnerable framework in question, which is designed to offer self-diagnostic mechanisms to identify and fix issues impacting an Android device.

This also means that the framework had broad access permissions, including audio, camera, power, location, sensor data, and storage, to carry out its functions. Associated with problems identified in the service, Microsoft said this could allow an attacker to plant persistent backdoors and take control.

Some of the affected applications come from major international mobile service providers such as Telus, AT&T, Rogers, Freedom Mobile and BellCanada.

  • Mobile Clinic Device Checkup (com.telus.checkup)
  • Device Help (com.att.dh)
  • MyRogers (com.fivemobile.myaccount)
  • Freedom Device Care (com.freedom.mlp.uat), and
  • Device Content Transfer (

In addition, Microsoft recommends users to search for the application package ” com.mce.mceiotraceagent – an application that may have been installed by repair shops of mobile phones – and remove it from phones, if necessary.

Suspicious applications, although pre-installed by phone providers, are also available on the Google Play Store and would have passed the App Storefront’s automatic security checks without triggering any alarm signalsas the process was not designed to detect these issues, which has since been rectified.

We would like to give thanks to the author of this write-up for this amazing web content

Android: 4 critical vulnerabilities discovered

You can view our social media profiles here and other pages on related topics here.