Microsoft has unearthed a number of high severity vulnerability in a framework used by Android apps “with millions of downloads”. Let’s immediately anticipate that Microsoft has not mentioned any of the apps in question. The only name that came out was that of mce Systems ie the developer of the framework which was promptly notified to initiate a partnership with which Redmond security men, working six-handed with mce and the owners of the apps themselves, resolved the matter.
Of the critical issues, now that belong to the past, details have been disclosed: they could have constituted a vector through which malicious people could have access to the system configuration and to the confidential information of the device owner. The troubling point is that covered some of the apps pre-installed by manufacturers on Android smartphones and tablets, for which intuitively an attacker had a huge audience of potential targets and at the same time, the targets, no tools to defend themselves, since uninstalling pre-installed apps is generally impossible except by getting root permissions.
HACKERS COULD TAKE ‘TOTAL CONTROL’ OF THE DEVICE
Microsoft’s “hunters” discovered that the framework in question, in possession of permissions to use microphone, camera, adjust audio and more for its “normal” activity, had a “BROWSABLE” service activity, remotely usable by an attacker to leverage vulnerabilities and implant a persistent backdoor on the device or assume the “substantial control”.
Framework such as that from mce Systems are useful for users and manufacturers to simplify the device activation process, to troubleshoot the device and optimize its performance. However, the large margin of control over the device that must be granted to them to offer these kinds of services can at the same time make them an attractive target for attackers.
All the apps in question, Microsoft specified, were and are available on the Play Store where they are subjected to the Play Protect automatic security scan which however previously did not foresee controls for this type of problem.
We have shared with Google what we have achieved – writes Microsoft – and now Play Protect can intercept this type of vulnerability as well.
Microsoft, whose security department is not new to discoveries that also affect other systems, wanted to congratulate the team of engineers at mce Systems for the speed and professionalism with which they have contributed to the problem resolution. Now users can continue to use a framework defined as crucial, but in complete safety. Find the technical details on the story at the link in SOURCE.
