Q
Problem solve Get help with specific problems with your technologies, process and projects.

How did firmware create an Android backdoor in budget devices?

An Android backdoor was discovered in the Ragentek firmware used in almost three million low-cost devices. Expert Michael Cobb explains how to prevent attacks on affected devices.

An Android backdoor was found in the Ragentek firmware, which is used in almost three million budget devices, that...

allows attackers to use man-in-the-middle attacks and gain full root access. How does this backdoor work, and what can be done to address it?

Firmware is low-level code stored in nonvolatile memory, such as ROM, erasable programmable read-only memory or flash memory, to allow for updates. It is embedded into hardware during the manufacturing process, and contains the basic instructions that allow the hardware to function. Like operating system and application software, firmware can contain exploitable vulnerabilities.

Security researchers from BitSight Technologies Inc. found that firmware in various brands of low-cost Android phones left these devices vulnerable to code execution attacks due to a hidden backdoor. The Android backdoor is a serious security failing, as an attacker could use it to remotely seize full control of a vulnerable device. Phones from BLU Products, Infinix and DOOGEE have been the most affected.

The firmware binary, developed by Ragentek Group in Shanghai, runs with root privileges, and is designed to deliver over-the-air updates, but it does so over an unencrypted channel. This not only exposes user-specific information during any communications, but also allows an attacker to remotely execute system commands on the devices as a privileged user via a man-in-the-middle (MitM) attack. This could lead to the installation of malware with system privileges or configuration changes.

The firmware actively tries to hide itself, excluding references to the binary name in the list of running processes returned by the Linux ps and top commands, while the Java framework has also been modified to hide references to the process.

Two unregistered internet domain names are hardcoded into the firmware, which, if registered, would give the owner the ability to remotely seize full control of a vulnerable device, without the need to perform a MitM attack. AnubisNetworks, a subsidiary of BitSight Technologies in Cambridge, Mass., has since registered these domains to prevent such an attack from occurring.

The Android backdoor vulnerability has been assigned CVE-2016-6564, and the CERT notes include a list of vulnerable models discovered so far. The backdoor capabilities may well have been unintentional, but enterprises should take this problem seriously, as many phones are unlikely to ever receive an update. So far, only BLU Products appears to have released a fix, and its effectiveness, and whether it's an automatic or manual update, is unknown.

Although AnubisNetworks now owns two of the hardcoded domains, a sophisticated attack team could temporarily hijack the IP addresses that point to them and carry out any number of attacks. To check if a phone contains this Android backdoor, monitor for outgoing connections to the following domains: oyag[.]lhzbdvm[.]com, oyag[.]prugskh[.]net and oyag[.]prugskh[.]com.

Until an effective patch is installed, affected users should only connect to the internet using VPN software.

Next Steps

Find out how the Pork Explosion vulnerability is used to create an Android backdoor

Learn how to differentiate between a security backdoor and a vulnerability

Discover how the Linux kernel Dirty COW flaw can be used to attack Android devices

This was last published in April 2017

Dig Deeper on Mobile security threats and prevention

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What measures does your enterprise have in place to protect against attacks on Android devices?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close