Certain Android devices manufactured by the China-based ZTE Corporation contain a poorly protected setuid shell that can be used to gain root-access to vulnerable devices, according to Lookout Mobile Security.
Any attacker who successfully exploits the vulnerability will have complete control of the device, including the ability to install or uninstall any applications and view any content on the device.
Lookout explains that when an individual downloads an app, Android creates a user ID (UID) tailored for that program so that it can have its own resources and storage space. When a user deletes an application, its UID gets deleted as well. There is also a ’root’ UID, which is called the setuid shell. Any application that runs the setuid shell is granted full root access to the device.
The setuid shell on these devices is protected by a plaint-text password that is hardcoded into the software. So, in order to elevate their privileges on a device, all an attacker needs to know is that password, which I am going to provide for you here: ‘ztex1609523.′
The only affected device is the ZTE Score M, which is distributed by Metro PCS in the US. ZTE has acknowledged the bug and is working on a fix. In the meantime, Lookout is advising that the owners of vulnerable devices.
Lookout believes this configuration is used by Metro PCS to preload applications like MetroPCS Visual Voicemail and MetroStudio onto devices before being sold.