The China's Google-like Search Engine Baidu is offering a software development kit (SDK) that contains functionality that can be abused to give backdoor-like access to a user's device, potentially exposing around 100 Million Android users to malicious hackers.

The SDK in question is Moplus, which may not be directly available to the public but has already made its way into more than 14,000 Android apps, of which around 4,000 are actually created by Baidu.

Overall, more than 100 Million Android users, who have downloaded these apps on their smartphones, are in danger.

Security researchers from Trend Micro have discovered a vulnerability in the Moplus SDK, called Wormhole, that allows attackers to launch an unsecured and unauthenticated HTTP server connection on affected devices, which works silently in the background, without the user's knowledge.

Also Read: More than 26 Android Phone Models Shipped with Pre-Installed Spyware

This unsecured server does not use authentication and can accept requests from anyone on the Internet. Though the server is controlled by the attacker, who can send requests to a particular port of this hidden HTTP server to execute malicious commands.

Malicious Functionalities of Wormhole

Currently, the researchers have identified that the SDK is using the port 6259 or 40310 to perform malicious activities on affected Android devices, which includes:
  • Send SMS messages
  • Make phone calls
  • Get mobile phone details
  • Add new contacts
  • Get a list of local apps
  • Download files on the device
  • Upload files from the device
  • Silently install other apps (if the phone is rooted)
  • Push Web pages
  • Get phone's geo-location, and many more
Since the SDK automatically installs the Web server when a Moplus SDK app is opened, hackers just need to scan a mobile network for port 6259 or 40310, thereby finding vulnerable devices they can abuse.

Also Read: Android Malware Can Spy On You Even When Your Mobile Is Off

Wormhole is More Dangerous than Stagefright

The vulnerability, according to researchers, is potentially easier to exploit than the Stagefright flaw, as Wormhole doesn't require social engineering to infect an unsuspecting user.

Trend Micro has also found at least one malware strain (detected as ANDROIDOS_WORMHOLE.HRXA) in the wild that takes advantage of Wormhole in Moplus SDK.

Researchers informed both Baidu as well as Google of the vulnerability.

As a result, Baidu has just pushed a partial fix for the problem by releasing a new version of the SDK that removed some of the SDK's functionality, but not all. The HTTP server remains online and active; however, Baidu assured its users that no backdoor exists now.

Must Read: Stagefright Bug 2.0 — One Billion Android SmartPhones Vulnerable to Hacking

This isn't the first time a Chinese company has caught distributing malicious SDK. Just a few days ago, the Taomike SDK – one of the biggest mobile ad solutions in China – was caught secretly spying on users' SMS messages and uploading them to a server in China.

The same malicious functionality was also discovered two weeks back in another SDK developed by Youmi; that affected 256 iOS apps, which were caught using private APIs to collect users private data. However, Apple eventually banned those apps from its App Store.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.