Nearly three million Android devices are vulnerable to an attack that could allow a hacker to compromise over-the-air (OTA) updates to the devices and allow adversaries to remotely execute commands with root privileges.
The problem stems from what researchers call an insecure implementation of an OTA mechanism used for updates associated with software made by Ragentek Group, a Chinese firm based in Pudong, Shanghai.
According to researchers with Anubis Networks, who disclosed the issue last week, communications over the channel from the responsible binary are unencrypted, which opens the door for a man-in-the-middle attack.
“All transactions from the binary to the third-party endpoint occur over an unencrypted channel, which not only exposes user-specific information during these communications, but would allow an adversary to issue commands supported by the protocol. One of these commands allows for the execution of system commands,” said Dan Dahlberg and Tiago Pereira, researchers with Anubis Networks who on Thursday disclosed the vulnerability.
Researchers with the firm claim that 2.8 million devices – spread across 55 different device models – checked into a sinkhole tied to the binary.
When CERT, a division of the Software Engineering Institute, warned about the issue last week in its Vulnerability Notes Database, it said the behavior of Ragentek’s code is akin to a rootkit, since the binary runs with root privileges and isn’t encrypted. CERT added, this makes it easy for an attacker to install applications or update configurations, on a device, in addition to the execution of arbitrary commands.
According to the CERT warning, the vulnerable binaries are mostly found in low cost devices, including several made by BLU Studio, Infinix, DOOGEE, and LEAGOO. Researchers claim they acquired one of the devices it tested, a BLU Studio G, off the shelf at Best Buy and that the issue impacted devices out of the box.
Anubis Networks said that it worked with BLU, the vendor most affected by the binary, Google and CERT to report the issue and alert the vendors.
Researchers with the firm weren’t clear of the full scope of the issue until they realized that the devices attempt to contact two domains in addition to Ragentek’s. Those domains weren’t registered until Anubis became cognizant of them and acquired them. Dahlberg and Pereira warned in their write up of the issue that if an attacker had known about the domains and purchased them, they could’ve had free reign over the nearly three million devices without even needing to carry out a MiTM attack.
The news comes a few days after another backdoor was discovered in another subset of Android devices also containing Chinese firmware.
Last Tuesday, researchers with Kryptowire said that phones manufactured by ADUPS Technology Co., Ltd., also based in Shanghai, were transmitting personally identifiable information without user consent or knowledge. The firmware used an OTA update system that was shipped with some devices, such as the BLU R1 HD phone, to monitor users. Data about the users, including in some instances users’ text messages and call logs, were then forwarded to the company’s servers in Shanghai.
BLU Products, a Miami, Florida-based mobile phone manufacturer fixed the issue that Anubis Networks found, according to CERT. In a briefing with the New York Times, which first broke the Kryptowire news, BLU Products’ chief executive, Samuel Ohev-Zion, said 120,000 of its phones were affected by the issue and that a future update would remedy the issue.
Outside of BLU, the remaining vendors have not issued a statement on the issue.