A newly discovered backdoor, part of a pre-installed rootkit, has rendered 3 million Android phones vulnerable to attack.
The backdoor, discovered by security researchers, affects Android devices with a pre-installed rootkit, typically found on low-cost, budget models. It is associated with the over-the-air channel provided to make system updates for the Chinese Ragentek Group software company.
The pre-installed rootkit makes devices vulnerable to a Man-In-The-Middle (MITM) attack due to an insecure over-the-air mechanism that makes transactions on an unencrypted channel. This exposes user information during communications and also allows a malicious user to issue system commands over the network, essentially hijacking the command sequence in transit. Because commands are made over an unsecured channel that is part of the device’s software from the box, they are supported by the Android rootkit protocol.
The researchers discovered that the device reached out over these unsecured channels immediately after initialization, leading them to believe that the devices were affected by this issue out of the box, and that it was due to a pre-installed feature rather than through a subsequent update.
While the researchers could not say whether coders were aware of the vulnerability, they did discover that an explicit check was added to the code to mask the fact that the vulnerable protocols were running. The code skipped the presence of two specific ‘debugs’ actions while they were running, essentially hiding their activity from the user.
Upon investigation, the researchers attributed the discrepancy to either a mistake on the original author’s behalf, outdated firmware, or differences in firmware between different brands of Android devices.
The researchers found that just over 50% of the vulnerable devices were from known manufacturers Blu, Infinix, Doogee, Leagoo, and Xolo, with the remainder categorized as ‘other.’ Owners of affected devices are currently being contacted by Anubis Researchers, along with Google, Blu and CERT.
The vulnerability described made users with affected devices vulnerable to a MITM attack; however, they also found that the devices were distributed with a set of domains preconfigured in the software. If a malicious user had discovered this first, they would only have needed to register the domains to their own accounts in order to access over three million Android devices without the need for an active MITM attack.