Phones are valuable, not just to us as communication tools, but also to hackers as a gateway to all of our personal data. Thankfully, security companies are working around the clock to make sure that attack vectors are eliminated as soon as possible, and in the latest case, Microsoft has stopped a severe vulnerability affecting many Android phones out there, helping the company that created a widely pre-installed self-diagnosis framework from MCE Systems to fix a glaring issue in its design.

The issue in question is a framework bundled with many system apps provided by carriers on Android phones, included as a self-diagnosis tool. These apps are also often offered on the Play Store, and the vulnerability has so far slipped past Google’s automated security checks. Following communication with Microsoft, Google has since added the vulnerability to its checklist, though.

Given that the framework is part of pre-installed system apps, it has a lot of permissions, allowing it to gain almost full control over a phone as part of its functionality. It can access and manipulate volume levels, take silent snapshots from the camera, control and obtain information from NFC, Wi-Fi, and Bluetooth, see the phone’s location, access content in storage like documents and media, and more. This normally shouldn’t be a problem, since only the privileged system app in question should be able to interact with the framework.

Figure-5.-Injecting-a-similar-JavaScript-code-to-the-WebView-could-allow-an-attacker-to-call-arbitrary-services-and-methods
Source: Microsoft

Microsoft's proof-of-concept exploit code, injecting JavaScript code.

However, Microsoft found out that due to the framwork’s design, an attacker can implant a persistent backdoor to silently surveil their target or to take substantial control over the device in question thanks to unsafe JavaScript injections. MCE Systems collaborated with Microsoft to fix the issue, and it has implemented a different software design that isn’t vulnerable to this kind of attacks as it doesn’t poll for asynchronous results anymore, which was the culprit. In the process, the companies also noticed that Google offers an API on Android 5 and higher that can be used instead of the company’s previous unsafe method, so mce Systems is now using Google’s solution on supported devices — and these days, 98% of Android phones should have a more recent Android version than that.

While the company responsible for the framework has since already fixed the problem, the apps using the framework still have to be updated. So far, Microsoft shared that apps from AT&T as well as Canadian carriers Telus, Rogers, Freedom Mobile, and Bell have updated their applications with the fix, but Microsoft says that it’s possible that there are still apps out there that use the old version. In that sense, make sure that you have automatic updates turned on in the Play Store in order to get the fix as soon as possible. Since it’s unclear how many carriers use this framework, it’s possible that it might take quite some time to fix it on all carrier-issued devices.

MCE Systems care journey anim
Source: MCE Systems

MCE Systems is advertising a "care journey" on its website, detailing how its service allows users to check their phones for issues, which could be part of what the vulnerable framework is meant to accomplish.

On MCE System's website, T-Mobile, Vodafone, EE, and Assurant are listed as further customers. Their applications may have already been fixed silently or haven't included the specific framework in question. It's also possible that the apps haven't been patched yet, so be mindful who you hand your phone to and where you leave it out in the open. Thankfully, a remote attack using this exploit seems rather difficult to pull off.

Microsoft additionally warns that some repair shops install an application with the package name com.mce.mceiotraceagent which is also affected by the vulnerability. Make sure that you remove it from your phone if you find it installed after a repair.

In cases like these, it’s clear that you’re not fully the owner of your device anymore, even if services like these might make it easier to set up your device. It isn’t possible to remove these pre-installed apps from phones without root access, so when a system app is affected by a vulnerability, all you can do is hope that it gets fixed soon. Thankfully, app updates are all that’s needed — no need for a system update on your phone.