Skip to main content

Privacy and security are the core of everything we do today. It’s no surprise that we have become more mobile than ever before. Mobile devices are becoming the cornerstone of modern living that converges end users’ business and personal lives. However, these mobile devices come with several vulnerabilities and security risks. Nearly all Android devices have useless pre-installed applications by manufacturers, generally called bloatware—Microsoft research team discovered various critical vulnerabilities in a mobile framework by MCE Systems. Various mobile manufacturers use this framework in pre-installed Android System applications. Malicious actors could have abused these applications to access sensitive information and system configuration. Therefore, it’s essential to protect your mobile devices against critical bugs in pre-installed apps. This article will highlight tips to secure your android devices from these critical flaws in pre-installed apps. 

List Of Critical Flaws In Pre-Installed Apps On Android Devices

The critical flaws in pre-installed apps range from local privilege escalation to command injection. These have been assigned the identifiers  CVE-2021-42598CVE-2021-42599CVE-2021-42600, and CVE-2021-42601, with the CVSS score between 7.0 and 8.9. 

Outdated Command Injection Vulnerability

Microsoft detected a command injection vulnerability, CVE-2021-42599, in the Device service. This service provides rich functionality that includes the ability to stop activities of a given package. The client controls the argument ‘value’ and executes the following command.

am force-stop “value”

The attacker could add quotation marks or backticks to execute arbitrary code.

am force-stop “a”; command-to-run; echo “a”

However, according to the MCE Systems, they have removed the functionality behind this vulnerability, and it no longer exists in advanced framework versions.

Exploitation By JavaScript Injection Via PiTM

The services provided by the MCE framework indicate that this vulnerability existed in the JavaScript client logic configured to allow plaintext communications. The client code is a heavily-obfuscated dynamic JavaScript implemented over various files, mainly bundle.js. Due to blind trust between the JarvisJSInterface server and JavaScript client, the attacker who can inject JavaScript contents into the WebView inherits the application permissions.

Microsoft formulated two injection techniques leveraged by attackers. 

  • Infect the JavaScript client behavior by delivering certain GET parameters from the BROWSABLE intent.
  • Trigger an application with the BROWSABLE intent to be a person-in-the-middle and view the entire traffic of the device. Inject the JavaScript code when the client tries to get external content and interpret it as a script. 

Once the Microsoft team reverse-engineered the obfuscated code, they found that it could not inject the JavaScript code from the GET parameters. It can now affect some of the client’s self-tests at initial stages, such as Wi-Fi connectivity and battery-draining tests. 

Microsoft’s proof-of-concept exploit code can

  • Perform a PiTM for the target device and entice users into clicking the link with “mcesystems://” schema.
  • Inject JavaScript into the plaintext page response that 
  • Hijacks the JavaScript interface by invoking init with the callback method.
  • Uses JavaScript interface requests to get servicing. 
  • Sends data to the server for information gathering via XMLHttpRequest.

See Also Step-by-Step Procedure to Boot Multiple Operating Systems From A USB Drive on Your Raspberry Pi Using PINN

Local Privilege Escalation Vulnerability

Some applications analyzed by Microsoft didn’t pull plaintext pages. Therefore, they looked for a local elevation of the privilege escalation vulnerability that allows a malicious application to get the system app’s privilege. This vulnerability was tracked as CVE-2021-42601. 

Software Design Against JavaScript Code Injection Vulnerability 

The Microsoft team worked closely with the MCE system engineers and found that the reason for the JavaScript injection’s unsafe loadURL invocations was that the framework used an asynchronous operation model. When a JavaScript client makes a request, it expects to be notified later after the results. Since Android JavaScript Bridge allows primitive types only, the MCE framework notified the client by injecting JavaScript with unsafe arguments. 

However, Microsoft provided a slightly different design to MCE Systems to prevent unsafe JavaScript injection. Here is the description of the information flow.

  • The JavaScript client makes a request based on the Android JavaScript Bridge. It supplies the request along with a request ID.
  • The server then performs and stores the result in the cache, mapping requests IDs to results. 
  • The JavaScript server informs the client by injecting the JavaScript carefully loadUrl(“javascript:window.onMceResult(<requestID>);”) into the webview. 
  • The JavaScript client onMceResult implement calls the Android JavaScript Bridge with the fetchResult(String requestId) string methods. 

The client does not need to ask for asynchronous results as data is transferred safely between the client and the server. 

List Of Apps Affected With The Flaws

Some of the affected apps due to critical vulnerabilities are as follows.

The malicious apps, pre-installed by phone manufacturers, are also available on the Play Store. These are said to have passed the application storefront’s automatic safety checks without elevating any red flags. 

Tips To Secure Your Android Devices Against Critical Vulnerabilities In Pre-Installed Apps

It’s no secret that Android suffers from several security issues. There’s always something new to worry about, from the long-running problem of pre-installed apps with vulnerabilities to the recent discovery that some apps were sharing your location data with Google.

The good news is that you can take action to protect yourself. Here are some tips for securing your devices against these vulnerabilities in pre-installed apps:

  • Keep Your Device Up to Date with the Latest Security Patches: If you have an older version of Android on your phone, there are likely security vulnerabilities in the operating system itself.
  • Only Install Apps from Trusted Sources: It’s always a good idea to download apps only from trusted sources. It includes Google Play Store, Amazon Appstore, and Samsung Galaxy Apps.
  • Appraise Your App-Downloading IQ: It’s important to know what apps are safe and which ones are not. Be careful when downloading apps from third-party stores or websites because they could contain malware and viruses.
  • Check for Updates: Updates fix bugs, but they also often contain patches for newly discovered vulnerabilities in software.
  • Enable Two-Factor Authentication for Your Google Account: It will make it more difficult for an attacker to access your account even if they have stolen your password.
  • Clean Up Your List of Connected Devices: It’s important because this list is displayed as part of the Android operating system (OS), so anyone who sees it can see what other people have been connected with before you.
  • Think Carefully About Third-Party Security Suites: While you may want the convenience of one app to protect all your devices, you should be aware that this can lead to problems.

See Also What Is Sender Policy Framework (SPF)? Why Do We Need SPF? How to Set up an SPF Record? How to Check an SPF Record?

Leave a Reply