Brian Jackson - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Android backdoor discovered in firmware for budget devices

A new Android backdoor leaves as many as 3 million users vulnerable, and one expert said enterprises must be careful about using budget devices.

Budget Android devices were found harboring another cybersecurity risk -- this time with an Android backdoor that could allow an attacker to gain root access.

Researchers at AnubisNetworks said the flaw, located in the firmware from Chinese company Ragentek Group, could affect as many as 3 million devices and allow for man-in-the-middle attacks. Although the issue affects a similar set of low-cost hardware, including smartphones from BLU, and the vulnerability is related to the over-the-air (OTA) update mechanism in firmware built by a Chinese company, AnubisNetworks said this Android backdoor is unrelated to the spyware found last week. According to AnubisNetworks, this flaw "appears to be an insecure implementation of an OTA mechanism for device updates associated to the software company, Ragentek Group, in China."

"All transactions from the binary to the third-party endpoint occur over an unencrypted channel, which not only exposes user-specific information during these communications, but would allow an adversary to issue commands supported by the protocol," researchers wrote in a blog post. "One of these commands allows for the execution of system commands. This issue affected devices out of the box."

Liviu Arsene, senior e-threat researcher at Romania-based antimalware firm Bitdefender, told SearchSecurity the Android backdoor should not be underestimated.

"Considering that a man-in-the-middle attack could potentially alter the firmware of an Android device, potentially enabling him to gain unfettered root access, this is a pretty bad hiccup," Arsene said. "Not relying on code signing to authenticate legitimate apps, not encrypting over-the-air communication and hardcoding unregistered domains are a full recipe for security failure."

AnubisNetworks said it "observed over 2.8 million distinct devices, across roughly 55 reported device models," but there could be more smartphone models affected. One device, the BLU Studio G, could be purchased in retail stores in the U.S., but most other vulnerable devices came from manufacturers targeting developing regions outside of the U.S.

Arsene said recent events should make enterprises looking toward budget devices consider the security implications.

"While most enterprises usually opt for midrange or high-end devices for employees, recent findings regarding budget phones should probably have companies on their toes," Arsene said. "Not because they could also be using some of these devices, but because of the nature of the vulnerability and the lack of control when it comes to fully managing Android devices. In light of recent events regarding budgets phones, it seems that users worried about security should probably think twice when going for really low-budget devices."

Next Steps

Learn more about the Pork Explosion Android backdoor vulnerability.

Find out about Android Stagefright and its effect on 1.4 billion Android devices.

Get info on why risk management is key to smartphone security issues.

Dig Deeper on Alternative operating system security