Nmedia - Fotolia
An Android backdoor was found in the Ragentek firmware, which is used in almost three million budget devices, that allows attackers to use man-in-the-middle attacks and gain full root access. How does this backdoor work, and what can be done to address it?
Firmware is low-level code stored in nonvolatile memory, such as ROM, erasable programmable read-only memory or flash memory, to allow for updates. It is embedded into hardware during the manufacturing process, and contains the basic instructions that allow the hardware to function. Like operating system and application software, firmware can contain exploitable vulnerabilities.
Security researchers from BitSight Technologies Inc. found that firmware in various brands of low-cost Android phones left these devices vulnerable to code execution attacks due to a hidden backdoor. The Android backdoor is a serious security failing, as an attacker could use it to remotely seize full control of a vulnerable device. Phones from BLU Products, Infinix and DOOGEE have been the most affected.
The firmware binary, developed by Ragentek Group in Shanghai, runs with root privileges, and is designed to deliver over-the-air updates, but it does so over an unencrypted channel. This not only exposes user-specific information during any communications, but also allows an attacker to remotely execute system commands on the devices as a privileged user via a man-in-the-middle (MitM) attack. This could lead to the installation of malware with system privileges or configuration changes.
The firmware actively tries to hide itself, excluding references to the binary name in the list of running processes returned by the Linux ps and top commands, while the Java framework has also been modified to hide references to the process.
Two unregistered internet domain names are hardcoded into the firmware, which, if registered, would give the owner the ability to remotely seize full control of a vulnerable device, without the need to perform a MitM attack. AnubisNetworks, a subsidiary of BitSight Technologies in Cambridge, Mass., has since registered these domains to prevent such an attack from occurring.
The Android backdoor vulnerability has been assigned CVE-2016-6564, and the CERT notes include a list of vulnerable models discovered so far. The backdoor capabilities may well have been unintentional, but enterprises should take this problem seriously, as many phones are unlikely to ever receive an update. So far, only BLU Products appears to have released a fix, and its effectiveness, and whether it's an automatic or manual update, is unknown.
Although AnubisNetworks now owns two of the hardcoded domains, a sophisticated attack team could temporarily hijack the IP addresses that point to them and carry out any number of attacks. To check if a phone contains this Android backdoor, monitor for outgoing connections to the following domains: oyag[.]lhzbdvm[.]com, oyag[.]prugskh[.]net and oyag[.]prugskh[.]com.
Until an effective patch is installed, affected users should only connect to the internet using VPN software.
Find out how the Pork Explosion vulnerability is used to create an Android backdoor
Learn how to differentiate between a security backdoor and a vulnerability
Discover how the Linux kernel Dirty COW flaw can be used to attack Android devices
Dig Deeper on Mobile security threats and prevention
Related Q&A from Michael Cobb
As bitcoin use increases, so too have the number of cyber attacks on cryptocurrency exchanges and wallets. Learn how to keep bitcoin use secure. Continue Reading
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading