Get updates delivered to you daily. Free and customizable.
TechRadar
Serious security bugs put millions of Android devices at risk
By Sead Fadilpašić,
2022-05-30
A couple of high-severity vulnerabilities were recently discovered in a mobile framework serving the Android(opens in new tab) operating systems, putting millions of people at risk.
The Microsoft 365 Defender Research Team, which discovered the flaws in September last year, says they could have been used to launch serious attacks on target devices, resulting in data theft and partial device takeover.
According to a new blog post(opens in new tab), Microsoft "uncovered high-severity vulnerabilities(opens in new tab) in a mobile framework owned by mce Systems and used by multiple large mobile service providers in pre-installed Android System apps that potentially exposed users to remote (albeit complex) or local attacks".
The vulnerabilities are being tracked as CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601, with severity scores ranging from 7.0 to 8.9 out of 10.
Further detailing its findings, Microsoft said the mobile framework includes a service that could be leveraged to “allow adversaries to implant a persistent backdoor or take substantial control over the device".
The company notified both mce Systems and affected mobile service providers (some of which are “international”), and teamed up with them to work on a fix. All of the vulnerabilities have now been addressed, the blog states.
"We worked closely with mce Systems’ security and engineering teams to mitigate these vulnerabilities," Microsoft said, "which included mce Systems sending an urgent framework update to the impacted providers and releasing fixes for the issues. At the time of publication, there have been no reported signs of these vulnerabilities being exploited in the wild".
Google also pitched in, updating its Play Protect service to cover off the attack vectors.
While Microsoft says there is no evidence of the flaws being exploited in the wild, it did add that there could be more undiscovered providers affected by the flaw, including “several mobile phone repair shops” that might have installed vulnerable apps on people’s endpoints(opens in new tab).
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Get updates delivered to you daily. Free and customizable.
Welcome to NewsBreak, an open platform where diverse perspectives converge. Most of our content comes from established publications and journalists, as well as from our extensive network of tens of thousands of creators who contribute to our platform. We empower individuals to share insightful viewpoints through short posts and comments. It’s essential to note our commitment to transparency: our Terms of Use acknowledge that our services may not always be error-free, and our Community Standards emphasize our discretion in enforcing policies. We strive to foster a dynamic environment for free expression and robust discourse through safety guardrails of human and AI moderation. Join us in shaping the news narrative together.
Comments / 0