Microsoft recently announced they had detected some critical vulnerabilities in a mobile framework used by Android.
The Microsoft 365 Defender Research Team detected flaws in a framework operated by mce Systems last year. The vulnerabilities have been patched now, so are no longer a threat, but did provide full access to phones for a while.
It apparently wasn’t just the framework, some apps also carried a vulnerability that could be leveraged by a hacker. That vulnerability passed checks run by the Google Play Store. In fact, the vulnerabilities were so serious, they had a CVSS score of between 7.0 and 8.9. (CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601).
It’s somewhat ironic that a company known across the globe for security vulnerabilities and providing bugged software managed to spot bugs in more secure software.
But, sometimes, even the mightiest among us make mistakes.
The 365 Defender Research Team were some of the first to identify the vulnerabilities and report them to mce Systems and relevant companies to patch them.
The vulnerabilities tied into the framework that interfaces with Android to perform self-checks and diagnostics. That gave any potential hacker the opportunity for unrivaled access to an Android phone. Microsoft said the vulnerabilities could “allow adversaries to implant a persistent backdoor or take substantial control over the device".
Fortunately, Microsoft worked with mce Systems to remedy the issue. That, and the process within the Google Play Store that allowed these vulnerabilities through, and the majority of the apps affected have all been fixed.
"We worked closely with mce Systems’ security and engineering teams to mitigate these vulnerabilities," Microsoft said, "which included mce Systems sending an urgent framework update to the impacted providers and releasing fixes for the issues. At the time of publication, there have been no reported signs of these vulnerabilities being exploited in the wild."