Skip to main content

Backdoor/Rootkit Comes Pre-installed

Here's some bad news for Android users again.

Nearly 3 Million Android devices worldwide are vulnerable to man-in-the-middle (MITM) attacks that could allow attackers to remotely execute arbitrary code with root privileges, turning over full control of the devices to hackers.

According to a new report from security rating firm BitSight, the issue is due to a vulnerability in the insecure implementation of the OTA (Over-the-Air) update mechanism used by certain low-cost Android devices, including BLU Studio G from US-based Best Buy.

Backdoor/Rootkit Comes Pre-installed


The vulnerable OTA mechanism, which is associated with Chinese mobile firm Ragentek Group, contains a hidden binary — resides as /system/bin/debugs — that runs with root privileges and communicates over unencrypted channels with three hosts.

According to the researchers, this privileged binary not only exposes user-specific information to MITM attackers but also acts as a rootkit, potentially allowing attackers to remotely execute arbitrary commands on affected devices as a privileged user.

"Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit," the CERT advisory associated with this vulnerability warned on Thursday.
Similar to the flaw discovered in Android devices running firmware from Shanghai ADUPS Technology, the newly discovered flaw (designated CVE-2016-6564) also resides in the firmware developed by a Chinese company.

While the AdUps firmware was caught stealing user and device information, the Ragentek firmware neither encrypt the communications sent and received to smartphones nor rely on code-signing to validate legitimate apps.

This blunder could allow a remote attacker to extract personal information from an affected device, remotely wiping the whole device, and even make it possible to gain access to other systems on a corporate network and steal sensitive data.

Affected Android Devices


The vulnerability has been found in multiple smartphone handsets from BLU Products, along with over a dozen devices from other vendors. The list of affected Android handsets includes:

  • BLU Studio G
  • BLU Studio G Plus
  • BLU Studio 6.0 HD
  • BLU Studio X
  • BLU Studio X Plus
  • BLU Studio C HD
  • Infinix Hot X507
  • Infinix Hot 2 X510
  • Infinix Zero X506
  • Infinix Zero 2 X509
  • DOOGEE Voyager 2 DG310
  • LEAGOO Lead 5
  • LEAGOO Lead 6
  • LEAGOO Lead 3i
  • LEAGOO Lead 2S
  • LEAGOO Alfa 6
  • IKU Colorful K45i
  • Beeline Pro 2
  • XOLO Cube 5.0

While analyzing the flaw, AnubisNetworks found that the device, a BLU Studio G, attempted to contact three pre-configured Internet domains, two of which remained unregistered despite being hardwired into the Ragentek firmware that introduced the bug.

"This OTA binary was distributed with a set of domains preconfigured in the software. Only one of these domains was registered at the time of the discovery of this issue," BitSight's subsidiary company Anubis Networks says in its report published Thursday. 
"If an adversary had noticed this, and registered these two domains, they would’ve instantly had access to perform arbitrary attacks on almost 3,000,000 devices without the need to perform a man-in-the-middle attack."

After the discovery, AnubisNetworks researchers registered the addresses and now controls those two extraneous domains to this day in an attempt to prevent such attacks from occurring in the future.

Around 3 Million Devices contain Dangerous Rootkit


Still, the impact was significant. The researchers were able to exploit the backdoor in the BLU Studio G phone, which allowed them to install a file in the location that's reserved for apps with all-powerful system privileges.


However, by observing the data smartphones sent when connecting to the two domains registered by BitSight, the researchers have cataloged 55 known device models that are affected.
"We have observed over 2.8 Million distinct devices, across roughly 55 reported device models, which have checked into our sinkholes since we registered the extraneous domains," the report reads. 
"In some cases, we have not been [able] to translate the provided device model into a reference to the real-world device."
So far, only BLU Products has issued a software update to address the vulnerability, though BitSight researchers haven't yet tested the patch to analyze its effectiveness. However, the remaining Android devices might still be affected.

For more technical details about the vulnerability, you can head on to full report published by BitSight's AnubisNetworks.

This is the second case in a single week when researchers have warned you of Android smartphones coming pre-installed with backdoors that not only send massive amounts of your personal data to Chinese servers, but also allow hackers to take control of your device.

Comments

  1. jemas join26 May 2020 at 05:46

    I want to set up a roadrunner email account for effective and clear communication. I don’t have a strong and full technical background for the proper and full roadrunner email setup process.

    ReplyDelete
  2. Singh YT Entertainment News15 May 2022 at 00:40

    good

    ReplyDelete

Post a Comment

Popular posts from this blog

Watch 18+ Videos On Youtube Without Signing In

                                          Sometime its  annoying  when youtube ask you to  sign  in for your  age verification  to watch  18+  videos . So i  will make  it easy for you by showing you  a simple   youtube trick to  watch  adult or 18+  youtube videos  without signing In. This trick is 100% working as of 2013. So  lets get  started. How To Watch 18+ Youtube Videos Without Logging In ? 1. First get the  Url  of video you want to  watch . As shown below. http://www.youtube.com/watch?v= 4Xkh6j7RMqk   2. Then  cop y the Video Id. For above link video Id is   4Xkh6j7RMqk 3. Now paste the Video Id  in the link  given below. http://www.youtube.com/v/ VideoId ?fs=1 Replace  VideoId  with the Id you copied in  Step 2 ...
Post a Comment
Read more

21 Tips To Get Adsense Approval For Your Blog

Many of us do apply  ad-sense  for monetizing our blogs/websites, and among those 90% gets rejected by the  ad-sense  crew, Some may even take a wild path by creating another email account and tries again, but alas, the result would be same, rejected.!! and  Thais  the moment at which they thinks to seize their blogging.   First of  all,don't  feel dejected after your  ad-sense  got  rejected,because  you are not within the terms of  ad-sense . Don't be late to check out your email to know what went wrong in your blog/website. Google  ad-sense  team is so kind that, they informs you the reason behind rejection.       Use Professional or Minimal design for your blog , because it makes things easy for your reader and Google. Don't fill your blog with fancy stuffs like background  sound,fancy  mouse  pointers,glittering  texts  etc , because it makes your b...
Post a Comment
Read more

IM HACKER DIGITAL

This program can spam the MSN conversations with the characters you type. Just type the message in the box to spam and click Spam and see the live ruin show. It will send unlimited messages until you hit Stop. When I tested this personally on my computer, it caused my PC to hang and ultimately, I had to restart my system. Download here: http://www.mediafire.com/download.php?czmzgzxmnyn
Post a Comment
Read more