Dangerous Rootkit found Pre-Installed on nearly 3 Million Android Phones
Here's some bad news for Android users again.

Nearly 3 Million Android devices worldwide are vulnerable to man-in-the-middle (MITM) attacks that could allow attackers to remotely execute arbitrary code with root privileges, turning over full control of the devices to hackers.

According to a new report from security rating firm BitSight, the issue is due to a vulnerability in the insecure implementation of the OTA (Over-the-Air) update mechanism used by certain low-cost Android devices, including BLU Studio G from US-based Best Buy.

Backdoor/Rootkit Comes Pre-installed

The vulnerable OTA mechanism, which is associated with Chinese mobile firm Ragentek Group, contains a hidden binary — resides as /system/bin/debugs — that runs with root privileges and communicates over unencrypted channels with three hosts.

According to the researchers, this privileged binary not only exposes user-specific information to MITM attackers but also acts as a rootkit, potentially allowing attackers to remotely execute arbitrary commands on affected devices as a privileged user.
"Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit," the CERT advisory associated with this vulnerability warned on Thursday.
Similar to the flaw discovered in Android devices running firmware from Shanghai ADUPS Technology, the newly discovered flaw (designated CVE-2016-6564) also resides in the firmware developed by a Chinese company.

While the AdUps firmware was caught stealing user and device information, the Ragentek firmware neither encrypt the communications sent and received to smartphones nor rely on code-signing to validate legitimate apps.

This blunder could allow a remote attacker to extract personal information from an affected device, remotely wiping the whole device, and even make it possible to gain access to other systems on a corporate network and steal sensitive data.

Affected Android Devices

The vulnerability has been found in multiple smartphone handsets from BLU Products, along with over a dozen devices from other vendors. The list of affected Android handsets includes:

  • BLU Studio G
  • BLU Studio G Plus
  • BLU Studio 6.0 HD
  • BLU Studio X
  • BLU Studio X Plus
  • BLU Studio C HD
  • Infinix Hot X507
  • Infinix Hot 2 X510
  • Infinix Zero X506
  • Infinix Zero 2 X509
  • DOOGEE Voyager 2 DG310
  • LEAGOO Lead 5
  • LEAGOO Lead 6
  • LEAGOO Lead 3i
  • LEAGOO Lead 2S
  • LEAGOO Alfa 6
  • IKU Colorful K45i
  • Beeline Pro 2
  • XOLO Cube 5.0

While analyzing the flaw, AnubisNetworks found that the device, a BLU Studio G, attempted to contact three pre-configured Internet domains, two of which remained unregistered despite being hardwired into the Ragentek firmware that introduced the bug.

"This OTA binary was distributed with a set of domains preconfigured in the software. Only one of these domains was registered at the time of the discovery of this issue," BitSight's subsidiary company Anubis Networks says in its report published Thursday.
"If an adversary had noticed this, and registered these two domains, they would've instantly had access to perform arbitrary attacks on almost 3,000,000 devices without the need to perform a man-in-the-middle attack."

After the discovery, AnubisNetworks researchers registered the addresses and now controls those two extraneous domains to this day in an attempt to prevent such attacks from occurring in the future.

Around 3 Million Devices contain Dangerous Rootkit

Still, the impact was significant. The researchers were able to exploit the backdoor in the BLU Studio G phone, which allowed them to install a file in the location that's reserved for apps with all-powerful system privileges.

The Hacker News

However, by observing the data smartphones sent when connecting to the two domains registered by BitSight, the researchers have cataloged 55 known device models that are affected.
"We have observed over 2.8 Million distinct devices, across roughly 55 reported device models, which have checked into our sinkholes since we registered the extraneous domains," the report reads.
"In some cases, we have not been [able] to translate the provided device model into a reference to the real-world device."
So far, only BLU Products has issued a software update to address the vulnerability, though BitSight researchers haven't yet tested the patch to analyze its effectiveness. However, the remaining Android devices might still be affected.

For more technical details about the vulnerability, you can head on to full report published by BitSight's AnubisNetworks.

This is the second case in a single week when researchers have warned you of Android smartphones coming pre-installed with backdoors that not only send massive amounts of your personal data to Chinese servers, but also allow hackers to take control of your device.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.