Last week, security experts from Kryptowire firm have discovered a backdoor in the firmware installed on low-cost Android phones. The backdoor affects mobile phones from BLU Products that are available for sale on both Amazon and Best Buy.
The backdoor resides in the commercial Firmware Over The Air (FOTA) update software that is installed on BLU Android devices provided as a service to BLU by AdUps.
Now researchers from Anubis Networks have discovered that a third-party firmware included in more than 2.8 million low-cost Android devices could be exploited to compromise the smartphones Over-the-Air (OTA) updates and gain root privileges.
The firmware affected by the backdoor is developed by the Chinese company Ragentek Group. The problem resides in the lack of encryption for the OTA mechanisms that expose users to MITM attacks. The analysis revealed that the Ragentek firmware running on the smartphone implements an insecure Over-the-Air update mechanism that establishes an unprotected connection to remote servers via an unencrypted communications channel.
Compared to the Adups backdoor discovered a few days ago, the Ragentek didn’t collect user data, but a malicious update could also implement such kind of behavior.
Experts highlighted that the OTA mechanism is pre-installed on million devices and runs as root without SSL protection, a perfect backdoor for attackers.
“It allowed for adversaries to remotely execute commands on the devices as a privileged user if they were in a position to conduct a Man-in-the-Middle attack. The binary responsible appears to be an insecure implementation of an OTA (Over-the-air) mechanism for device updates associated to the software company, Ragentek Group, in China.” reads the analysis published by Anubisnetworks.
“All transactions from the binary to the third-party endpoint occur over an unencrypted channel, which not only exposes user-specific information during these communications, but would allow an adversary to issue commands supported by the protocol. One of these commands allows for the execution of system commands. This issue affected devices out of the box.”
The discovery was made after a researcher bought a BLU Studio G smartphone from Best Buy, a circumstance similar to the previous discovery made by the experts at Kryptowire.
The researchers from AnubisNetworks found another disconcerting discovery, the firmware components that implement the OTA update mechanism also includes code to disguise its presence from the Android OS. This means that there in no evidence in the list of active Android processes of ongoing OTA updates.
Furthermore, the OTA code was distributed with a set of domains preconfigured in the binary. Surprisingly, only one of these domains was registered at the time of the discovery of this issue, this means that if an adversary will register these remaining two domains, they would potentially send malicious updates to almost 3,000,000 devices. AnubisNetworks bought these two domains to prevent any abuse.
Several low-price Android models are affected by the issues, mostly BLU Product, other impacted vendors are Infinix Mobility, DOOGEE, LEAGOO, IKU Mobile, Beeline, and XOLO.
Anubis, alongside with Google, BLU, and the US-CERT is notifying all affected vendors. The US-CERT has also issued a public advisory on the disconcerting discovery.
Below the list of affected binaries reported by the US CERT:
(Security Affairs – low-cost Android devices, backdoor)