Nearly 3 Million Android devices worldwide are vulnerable to man-in-the-middle (MITM) attacks that could let attackers to remotely execute arbitrary code alongside rootage privileges, turning over total command of the devices to hackers.
According to a new report from safety rating trouble solid BitSight, the number is due to a vulnerability inward the insecure implementation of the OTA (Over-the-Air) update machinery used past times for sure low-cost Android devices, including BLU Studio G from US-based Best Buy.
Backdoor/Rootkit Comes Pre-installed
The vulnerable OTA mechanism, which is associated alongside Chinese mobile trouble solid Ragentek Group, contains a hidden binary — resides equally /system/bin/debugs — that runs alongside rootage privileges together with communicates over unencrypted channels alongside 3 hosts.
According to the researchers, this privileged binary non entirely exposes user-specific information to MITM attackers but equally good acts equally a rootkit, potentially allowing attackers to remotely execute arbitrary commands on affected devices equally a privileged user.
"Additionally, at that topographic point are multiple techniques used to hide the execution of this binary. This deportment could last described equally a rootkit," the CERT advisory associated alongside this vulnerability warned on Thursday.Similar to the flaw discovered inward Android devices running firmware from Shanghai ADUPS Technology, the newly discovered flaw (designated CVE-2016-6564) equally good resides inward the firmware developed past times a Chinese company.
While the AdUps firmware was caught stealing user together with device information, the Ragentek firmware neither encrypt the communications sent together with received to smartphones nor rely on code-signing to validate legitimate apps.
This blunder could let a remote assailant to extract personal information from an affected device, remotely wiping the whole device, together with fifty-fifty arrive possible to attain access to other systems on a corporate network together with pocket sensitive data.
Affected Android Devices
The vulnerability has been flora inward multiple smartphone handsets from BLU Products, along alongside over a dozen devices from other vendors. The listing of affected Android handsets includes:
- BLU Studio G
- BLU Studio G Plus
- BLU Studio 6.0 HD
- BLU Studio X
- BLU Studio X Plus
- BLU Studio C HD
- Infinix Hot X507
- Infinix Hot 2 X510
- Infinix Zero X506
- Infinix Zero 2 X509
- DOOGEE Voyager 2 DG310
- LEAGOO Lead 5
- LEAGOO Lead 6
- LEAGOO Lead 3i
- LEAGOO Lead 2S
- LEAGOO Alfa 6
- IKU Colorful K45i
- Beeline Pro 2
- XOLO Cube 5.0
While analyzing the flaw, AnubisNetworks flora that the device, a BLU Studio G, attempted to contact 3 pre-configured Internet domains, 2 of which remained unregistered despite existence hardwired into the Ragentek firmware that introduced the bug.
"This OTA binary was distributed alongside a laid upward of domains preconfigured inward the software. Only ane of these domains was registered at the fourth dimension of the regain of this issue," BitSight's subsidiary fellowship Anubis Networks says inward its study published Thursday.
"If an adversary had noticed this, together with registered these 2 domains, they would’ve right away had access to perform arbitrary attacks on almost 3,000,000 devices without the postulate to perform a man-in-the-middle attack."
After the discovery, AnubisNetworks researchers registered the addresses together with at nowadays controls those 2 extraneous domains to this twenty-four hours inward an endeavor to forestall such attacks from occurring inward the future.
Around 3 Million Devices comprise Dangerous Rootkit
Still, the impact was significant. The researchers were able to exploit the backdoor inward the BLU Studio G phone, which allowed them to install a file inward the place that's reserved for apps alongside all-powerful organization privileges.
However, past times observing the information smartphones sent when connecting to the 2 domains registered past times BitSight, the researchers stimulate got cataloged 55 known device models that are affected.
"We stimulate got observed over 2.8 Million distinct devices, across roughly 55 reported device models, which stimulate got checked into our sinkholes since nosotros registered the extraneous domains," the study reads.
"In simply about cases, nosotros stimulate got non been [able] to interpret the provided device model into a reference to the real-world device."So far, entirely BLU Products has issued a software update to address the vulnerability, though BitSight researchers haven't yet tested the spell to analyze its effectiveness. However, the remaining Android devices mightiness nonetheless last affected.
For to a greater extent than technical details nearly the vulnerability, you lot tin caput on to full report published past times BitSight's AnubisNetworks.
This is the minute representative inward a unmarried calendar week when researchers stimulate got warned you lot of Android smartphones coming pre-installed alongside backdoors that non entirely post massive amounts of your personal information to Chinese servers, but equally good let hackers to stimulate got command of your device.
