Microsoft Uncovers High-Severity Android Vulnerabilities

Microsoft recently discovered high-severity vulnerabilities in a mobile framework owned by mce Systems and used by several large mobile service providers. These vulnerabilities are likely to be attack vectors for attackers to access system configurations and sensitive information.

As the threat and computing environment evolves, with the discovery of new vulnerabilities, coordinated responses and other kinds of threat information sharing are critical to safeguarding consumers from current and future attacks, regardless of the platform they use. And thus, according to Microsoft, the vulnerabilities, which affected apps with millions of downloads, were addressed by the combined efforts of mce Systems, the framework’s creator, and the affected mobile service providers.

 

Discovered Threats

CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601 were discovered in a mobile framework owned by Israeli business mce Systems and utilized by numerous big mobile service providers in pre-installed Android System applications, potentially exposing users to remote or local attacks.

1. CVE-2021-42599:

This service provides extensive functionality, including the ability to halt a certain package’s activity. The user has complete control over the parameter “value” and simply executes the following command:

am force-stop “value”

However, they were able to analyze two injection tactics that attackers are likely to use:

• Affect the JavaScript client’s behavior by passing particular GET parameters from the BROWSABLE Intent.
• Trigger an app with the BROWSABLE Intent to become a person-in-the-middle (PiTM) and observe the device’s total traffic. If the client attempts to fetch external material and interpret it as a script or HTML, inject JavaScript code.

According to mce Systems, the mechanism behind this vulnerability has subsequently been removed, and it is no longer included in more advanced framework versions.

2. CVE-2021-42601:

The study team discovered that several of the examined apps did not fetch plaintext pages. Thus, when searching for a local elevation of privilege vulnerability that allows a malicious application to get system app rights, they identified CVE-2021-42601.

The main Activity attempted to handle a deep link (a link that, when clicked, starts an app rather than a browser) with Google Firebase. Interestingly, this deep-link handling attempted to deserialize a structure named PendingDynamicLinkData (representing a link) from an Intent Extra byte array with the key com.google.firebase.dynamiclinks.DYNAMIC_LINK_DATA.

 

When Did the Research Begin?

Microsoft uncovered the vulnerabilities in September 2021 and shared the information with mce Systems and the impacted mobile service providers. The two firms collaborated hard to address these problems.

“To address these issues, we worked with mce Systems, the framework’s designer, and the affected mobile service providers. We applaud the swift and competent resolution of each of these issues by the mce Systems engineering teams and the necessary partners, ensuring that customers may continue to utilize such an important framework,” claimed Microsoft.

Key Takeaways:

It states that its investigation into framework vulnerabilities began with an attempt to understand better how a pre-installed system application may influence the overall security of mobile devices.

• It was discovered that the framework appeared to be built to provide self-diagnostic capabilities to find and repair issues affecting the Android device, implying that its permissions provided access to significant resources.
• The framework was also leveraged by default system programs to use its self-diagnostic capabilities, which revealed that the linked apps also featured substantial device privileges that could be exploited through the susceptible framework.

The framework, for example, granted access to system resources and the ability to do system-related activities such as altering the device’s audio, camera, power, and storage settings.

Microsoft got a list of services that effectively offer WebView complete control of the device. Among the most important services are:

1. Audio: Access and control volume levels and play a tone with a predefined duration and frequency.
2. Camera: for quiet screenshot.
3. Connectivity: Use NFC, Wi-Fi, and Bluetooth to control and collect essential information.
4. Discovery: Set the gadget to discoverable mode.
5. Location: get the location in multiple modes and change the location state.
6. PackageManager: To obtain package information and discreetly install a new program.
7. Power: Determine the charging level.
8. Sensor: Collect sensor data such as barometer readings, light readings, proximity readings, and if fingerprinting is working.
9. Device: Contains a variety of device-control measures such as battery drain, factory reset, and accessing the information on apps, addresses, and sensor data.

Several more mobile service providers were identified to be using the vulnerable framework with their separate applications, implying that there may be further providers that have yet to be uncovered and may be impacted.

Users and providers benefit from pre-installed frameworks and mobile apps like mce Systems, including easing device activation, diagnosing device faults, and improving performance. However, their substantial influence over the device to provide these services may make them an appealing target for attackers.

 

Software Design Upgradation by Microsoft Against Javascript Injection Vulnerabilities

Microsoft revealed the specifics of their latest suggestion for a slightly modified software design that prohibits hazardous JavaScript injection. This solution eliminates the requirement for the JavaScript client to poll for asynchronous responses while data is safely transported between the client and the server. Here are the security information details of the flow of information as per the Microsoft’s proposal:

1. The JavaScript client calls the request function on the Android JavaScript Bridge, passing the request along with a request ID.
2. The Java server processes the request and saves the result in a cache. The cache then translates request IDs to results.
3. The Java server notifies the client by carefully injecting the JavaScript loadUrl(“javascript:window.onMceResult();”) into the WebView. The only non-constant string is the request ID, which can be readily sanitized. This procedure “wakes the client up.”
4. The JavaScript client implementation of onMceResult invokes the Android JavaScript Bridge via the function String fetchResult (String requestId).

The new mce framework now examines the Android version and, if supported, employs this new Google API or our supplied solution for older devices.

Roadway Ahead:

Microsoft has requested that users upgrade to the most recent versions of these applications from the Google Play store, which includes several well-known ones such as:

1. com.telus.checkup
2. com.att.dh
3. com.fivemobile.myaccount
4. com.freedom.mlp,uat
5. Com.ca.bell.contenttransfer

 

Final Words

Microsoft has informed that the mce Systems declared that all identified vulnerabilities had been fixed. To allay our fears, Microsoft promised to continue collaborating with the security community to share threat intelligence and build better protection for everyone, as its security researchers are constantly working to discover new vulnerabilities and threats, transforming a wide range of issues into tangible results and improved solutions that protect users and organizations across platforms every single day.