Microsoft unveils ‘severe’ vulnerability affecting popular Android apps
Microsoft researchers have discovered a number of exploitable and very serious vulnerabilities in an Android application framework used by mobile operators.
Although all parties have been notified and the issues have apparently been resolved, the fact that these apps – many of which come pre-installed – had such gaping security flaws is concerning.
Although anti-virus software can save your neck in many cases, it is essential that you always update your software when new patches are released.
Which apps were affected?
The vulnerabilities were found in a mobile framework developed and owned by mce systems, which is used by mobile carrier applications on Android phones.
Many affected mobile operator apps come pre-installed on Android phones purchased from the same operator, although the apps are also available on the Play Store and have millions of downloads.
Companies affected by the vulnerability include AT&T, Rogers Communications, Freedom Mobile, TELUS and Bell Canada. Together they have millions of downloads and users.
What kind of attacks was the framework vulnerable to?
According to the Microsoft Defender Blog, the issues leave users open to both “command injection” and “privilege escalation” attacks.
Command injection attacks work exactly as their name suggests: they allow malicious actors to execute arbitrary code in a vulnerable system or network. Elevation of privilege attacks, on the other hand, are designed to help hackers gain unauthorized (and elevated) access to parts of a system or network that are typically protected from most users.
“With the extended system privileges that pre-installed apps have, these vulnerabilities could have been attack vectors allowing attackers to gain access to system configuration and sensitive information” – Microsoft 365 Defender Research Team.
Microsoft says that “with the extended system privileges that pre-installed apps have, these vulnerabilities could have been attack vectors allowing attackers to gain access to system configuration and sensitive information.”
Analyzing an application affiliated with mce system permissions tells us which permissions could conceivably provide dangerously broad access to an attacker. This includes permissions for Internet access, Wi-Fi and network states, Bluetooth, camera and audio access, and contact and account information.
The tech giant‘s team also suggested the issues could be exploited to orchestrate both remote and local attacks, although the former are complex.
How can I protect myself from mobile threats?
Despite the fact that 50% of all website traffic now comes from mobile devices, users often associate online threats with laptops and desktops.
The widely shared half-truth that iPhones can’t catch viruses hasn’t contributed to this perception that you don’t need to make many security tweaks on your phone.
However, this is wrong. You can catch viruses on any phone you own, regardless of operating system, and the more people use phones to surf the internet, the more viruses will be. More and more business people are also doing important work on their phones, so the stakes have never really been higher.
So make sure you have anti-virus software for your mobile, and it’s a good idea to use password managers for the accounts you have with apps, so that at least one hacker can’t recycle your credentials if they compromise an account you own.