Dangerous Rootkit found Pre-Installed on
nearly 3 Million Android Phones
Saturday, November 19, 2016
Swati Khandelwal
Here's some bad news for Android users again.
Nearly 3 Million Android devices worldwide are
vulnerable to man-in-the-middle (MITM) attacks that
could allow attackers to remotely execute arbitrary
code with root privileges, turning over full control
of the devices to hackers.
According to a
new report from security rating firm BitSight,
the issue is due to a vulnerability in the insecure
implementation of the OTA (Over-the-Air) update
mechanism used by certain low-cost Android devices,
including BLU Studio G from US-based Best Buy.
Backdoor/Rootkit Comes
Pre-installed
The vulnerable OTA mechanism, which is associated
with Chinese mobile firm Ragentek Group, contains a
hidden binary — resides as /system/bin/debugs
— that runs with root privileges and communicates
over unencrypted channels with three hosts.
According to the researchers, this privileged binary not only
exposes user-specific information to MITM attackers but also acts as
a rootkit, potentially allowing attackers to remotely execute
arbitrary commands on affected devices as a privileged user.
"Additionally, there are multiple techniques used to hide the
execution of this binary. This behavior could be described
as a rootkit," the CERT advisory associated with this
vulnerability
warned on Thursday.
Similar to the
flaw discovered in Android devices running firmware from
Shanghai ADUPS Technology, the newly discovered flaw (designated
CVE-2016-6564) also resides in the firmware developed by a
Chinese company.
While the AdUps firmware was caught stealing user and device
information, the Ragentek firmware neither encrypt the
communications sent and received to smartphones nor rely on
code-signing to validate legitimate apps.
This blunder could allow a remote attacker to extract personal
information from an affected device, remotely wiping the whole
device, and even make it possible to gain access to other systems on
a corporate network and steal sensitive data.
Affected Android Devices
The vulnerability has been found in multiple smartphone handsets
from BLU Products, along with over a dozen devices from other
vendors. The list of affected Android handsets includes:
- BLU Studio G
- BLU Studio G Plus
- BLU Studio 6.0 HD
- BLU Studio X
- BLU Studio X Plus
- BLU Studio C HD
- Infinix Hot X507
- Infinix Hot 2 X510
- Infinix Zero X506
- Infinix Zero 2 X509
- DOOGEE Voyager 2 DG310
- LEAGOO Lead 5
- LEAGOO Lead 6
- LEAGOO Lead 3i
- LEAGOO Lead 2S
- LEAGOO Alfa 6
- IKU Colorful K45i
- Beeline Pro 2
- XOLO Cube 5.0
While analyzing the flaw, AnubisNetworks found that the device, a
BLU Studio G, attempted to contact three pre-configured Internet
domains, two of which remained unregistered despite being hardwired
into the Ragentek firmware that introduced the bug.
"This OTA binary was distributed with a set of domains
preconfigured in the software. Only one of these domains was
registered at the time of the discovery of this issue,"
BitSight's subsidiary company Anubis Networks says in its report
published Thursday.
"If an adversary had noticed this, and registered these two
domains, they would’ve instantly had access to perform arbitrary
attacks on almost 3,000,000 devices without the need to perform
a man-in-the-middle attack."
After the discovery, AnubisNetworks researchers registered the
addresses and now controls those two extraneous domains to this day
in an attempt to prevent such attacks from occurring in the future.
Around 3 Million Devices contain
Dangerous Rootkit
Still, the impact was significant. The researchers were able to
exploit the backdoor in the BLU Studio G phone, which allowed them
to install a file in the location that's reserved for apps with
all-powerful system privileges.
However, by observing the data smartphones sent when connecting to
the two domains registered by BitSight, the researchers have
cataloged 55 known device models that are affected.
"We have observed over 2.8 Million distinct devices, across
roughly 55 reported device models, which have checked into our
sinkholes since we registered the extraneous domains," the
report reads.
"In some cases, we have not been [able] to translate the
provided device model into a reference to the real-world
device."
So far, only BLU Products has issued a software update to address
the vulnerability, though BitSight researchers haven't yet tested
the patch to analyze its effectiveness. However, the remaining
Android devices might still be affected.
For more technical details about the vulnerability, you can head on
to
full report published by BitSight's AnubisNetworks.
This is the second case in a single week when researchers have
warned you of Android smartphones coming
pre-installed with backdoors that not only send massive amounts
of your personal data to Chinese servers, but also allow hackers to
take control of your device.
http://thehackernews.com/2016/11/hacking-android-smartphone18.html
http://thehackernews.com/2016/11/hacking-android-smartphone18.html
|