There is good news and bad news for Android users. The bad news: Microsoft has discovered serious security vulnerabilities in many Android apps that attackers can exploit to access third-party devices. The good news…
Android: Serious vulnerabilities in millions of apps
In September 2021, the “Microsoft 365 Defender Research Team” found several serious vulnerabilities in a mobile framework, which Microsoft describes in detail in this blog entry. This framework is used in popular apps from a number of well-known companies. The affected apps were installed millions of times on Android devices. But the companies using these apps appear to be all US companies like AT&T, Rogers Communications and Bell Canada. Android users in Germany should therefore not be affected by this problem, or at least hardly be affected, unless they have downloaded the relevant apps themselves.
The framework comes from MCE Systems and is used in apps from numerous mobile network providers such as the US companies mentioned above. In addition, the vulnerable framework and associated apps have also been found on devices from other international mobile operators. Because MCE Systems allowed the companies using it to customize and label their respective mobile apps and frameworks. According to MCE Systems, some of these gaps exist in various apps for Android and iOS. To our knowledge, however, MCE Systems does not name specific app examples.
This allows attackers to exploit the vulnerabilities
Attackers can exploit the vulnerabilities for local or remote attacks and, for example, control the audio, camera, power and memory controls of the devices. The attackers can inject commands and gain unwanted permissions on third-party devices. This gives attackers access to the system configuration and sensitive information, allowing them to remotely control the hijacked devices.
The vulnerabilities are specifically identified as follows:
The vulnerabilities are classified with severity levels between 7.0 and 8.9, as summarized by the US IT news portal.
Microsoft points out that it worked with MCE Systems and the vulnerabilities have now been fixed. Affected Android users should therefore install all updates so that the gaps are closed.