Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Security Android Cellphones China

Second Chinese Firm In a Week Found Hiding a Backdoor In Android Firmware (bleepingcomputer.com) 108

An anonymous reader quotes Bleeping Computer: Security researchers have discovered that third-party firmware included with over 2.8 million low-end Android smartphones allows attackers to compromise Over-the-Air (OTA) update operations and execute commands on the target's phone with root privileges. This is the second issue of its kind that came to light this week after researchers from Kryptowire discovered a similar secret backdoor in the firmware of Chinese firm Shanghai Adups Technology Co. Ltd.. This time around, the problem affected Android firmware created by another Chinese company named Ragentek Group.
It apparently affects more than 55 low-end/burner phones from BLU, Infinix Mobility, DOOGEE, LEAGOO, IKU Mobile, Beeline, and XOLO. According to the article, the binary performing the insecure updates "also includes code to hide its presence from the Android OS, along with two other binaries and their processes... Without SSL protection, this OTA system is an open backdoor for anyone looking to take control of it." Even worse, three domains were hard-coded into the binaries, two of which were unregistered, according to the researchers. "If an adversary had noticed this, and registered these two domains, they would've instantly had access to perform arbitrary attacks on almost 3,000,000 devices without the need to perform a Man-in-the-Middle attack."
This discussion has been archived. No new comments can be posted.

Second Chinese Firm In a Week Found Hiding a Backdoor In Android Firmware

Comments Filter:
  • by Anonymous Coward

    ... many eyes would better catch the most blatant attempts at such shenanigans.

    • Right, ok like how all those eyes found the heart bleed bug in SSL?

      • by Anonymous Coward

        Right, ok like how all those eyes found the heart bleed bug in SSL?

        "most blatant attempts at shenanigans".

        Bugs and extreme clever bits of TLA subversion both would still happen. Heart bleed would get found because as the herd security evolves, I think we would get to significant enough deployment of hard core full network analysis on each device (read: phone) and in enough cases outright pattern whitelisting that the paranoid could have even a bit of confidence against such things. Part of the "trust us we know whats best, don't look under the covers" pre-Snowden mentali

  • It's in all of them. If it hasn't been found in your Android, it just hasn't been found - yet.
  • by SeaFox ( 739806 ) on Sunday November 20, 2016 @01:13AM (#53324867)

    We just have to avoid all phones built in China.
    Oh, wait...

  • I really appreciate my Lumia phone more and more. Great OS and hardware and hardly any apps which keeps my chances of having these issues very small. 0 userbase + 0 apps = no reason for hackers to mess with me :)
  • I just checked for this binary, and it was not on my phone. I did have a binary file called debuggerd but it was not the same as debugs.

    • by Anonymous Coward

      How did you check for the binary? From TFA: "The binary responsible for the firmware OTA update operations also includes code to hide its presence from the Android OS, along with two other binaries and their processes."

      • I have root, a USB Cable, and a Full Rom dump of my firmware stored on my Hard Drive. I just used adb. I su to root as well.

  • by LostMyBeaver ( 1226054 ) on Sunday November 20, 2016 @01:32AM (#53324931)
    1) "By determining that it utilized Rui Maciel’s JSON library, it was straightforward to reverse the expected data structure of the server response. As shown below:"

    What the hell did this have to do with anything... it forced me to hate reading the entire rest of the article. I mean it was like reading "It's a UNIX machine, I know this!" If this sentence has any meaning what-so-ever to the author other than to show off that he could identify linked libraries... well never mind... not worth writing a book on it here.

    2) It's an oob updater

    It's very likely that if the intent of this code was to be malicious, it would have been hidden better. From what I can see, it looks like they were trying to keep the software installed and operating even through shutting down most of android and bringing it back up.

    By using a fixed process id, it makes it easier to identify numerically and by removing the code which appears to be clearly marked as debugging code from the process output, it might even be possible that the process will survive cycling through run levels. It's also clear that it should allow the external server to bring the phone back up.

    3) Likely a development tool more than an updater.

    It is very likely that the developer who was making the firmware base image made a series of tools that would allow pushing and testing a lot of changes remotely. It feels like a "poor man's version" of RSH on top of a REST API.

    4) Six month timer?

    In other words, it probably just means "go to sleep... I'm done". Indefinite is more appropriate for production code.

    If they were really trying to hide something, do you think they would have made it so obvious?

    This was just the case of a programmer dropping his/her image building and debugging code into the production image. He/she was probably also asked to add some possibility to update the firmware of the image remotely for tech support reasons. He/she probably just figured "I already have something".

    At the end of the article I take this away

      DANGER!!!! Some developer left highly insecure debugging code in the firmware used on a gazillion phones.

      DANGER!!!!!!! There's some publicity loving series of security losers trying to make headlines and sound important trying to scare everyone when in reality, they no have their own backdoor to a gazillion phones and didn't even consider ... "Wait... I could run a remote command to fix the problem and make it a non-issue".

    Yes... instead of trying to make headlines and run a fund raiser, you didn't even need to actually tell us about it, you could have just simply pushed a patch that any phone connecting to one of those URLs would be patched.
    • by Anonymous Coward on Sunday November 20, 2016 @01:43AM (#53324953)

      But you're missing the point, that if OTHER actors were to find these issues out ahead of time, 3 million + phones would be rootable by simply registering a couple of otherwise unclaimed domain names. That's not a "backdoor" as much as it is an open hole to the backyard...

      • by lucm ( 889690 )

        More devices to join the IoT botnets and take down the interwebs. To anyone expecting to use their new game console on Christmas day this year: it would be wise to have a Plan B that works offline (such as sex or Monopoly).

      • Nope... I see the point... they caught the problem.. they even mitigated it. Now they possess two domain names that can be used to root 3 million+ firms and frankly, I don't have much interest in a company that gets its rocks off on spreading FUD like they're the White House as a fund raiser. I also don't trust them.

        Now that they have those domains AND can execute commands on those phones AND have even used them for information gathering on all those phones, why not push something on to the end of /etc/host
  • i'm sure they're (whoever they are) are going to love the data they retrieve from the people who use low-end phones ;-)
  • Wait; we have burner smartphones now? When did this happen? 1) Buy burner 2) Deal !@#$ 3) Toss burner 4) Profit!
    • by SeaFox ( 739806 )

      Have you checked you local grocery store? Many sell prepaid smartphones right alongside the refill cards, with prices as low as $10 (yes, for an actual Android touchscreen smartphone).

    • okay so they are simple back three versions things that can't do 80% of the things current phones can but if you are in the US i would bet that 80% of the PONFA folks have smart phones now.

  • by drinkypoo ( 153816 ) <martin.espinoza@gmail.com> on Sunday November 20, 2016 @07:17AM (#53325645) Homepage Journal

    I was warned here that ES File was probably phoning home to China, so I removed it and my devices actually work better now. Is there any analysis of precisely what ES File Explorer is doing?

    • by Anonymous Coward

      ES File Explorer is made by Baidu, a company that is well know for malpractices and spying on its users.

  • Sometimes I've got a feeling that Google actively encourages security vulnerabilities considering that this particular local ROOT vulnerability affects at least 99% of all existing Android devices and Google skipped it in its latest security update.

    Welcome rootkits and unremovable trojans.

    • Google had already finalized the latest security update when Dirty COW was discovered. December's update will be their first chance to patch it.

      Furthermore given Android is an open platform ANYONE can develop for it, and this isn't Google's code at fault here. This is just a case of getting what you pay for when you buy a low-end Android phone that was made without adequate code review or security testing.

  • I wonder if this is the work of the Chinese intelligence agencies? That would almost certainly be everyone's explanation if it happened in a phone from a US company.

  • Now it would be stereotyping to direct the cheat intention at the Chinese... but the numerous occassions related to them is undeniable. First Lenovo, then other smaller fishes...

    My propossal to this problem is: To ban the brands indefinitely from the US and to permanently bar all executives at those companies from entering the US. This way, they learn their lesson... corporations stealilng from consumers is a crime that should not go unpunished. Phucking cheaters!!!

Things are not as simple as they seems at first. - Edward Thorp