Over 2.8 million cheap Android smartphones come with preinstalled backdoor

If you’re using a cheap Android smartphone manufactured or sold by BLU, Infinix, Doogee, Leagoo, IKU, Beeline or Xolo, you are likely wide open to Man-in-the-Middle attacks that can result in your device being thoroughly compromised.

A more detailed (but not complete) list of vulnerable devices can be found in an advisory by CERT/CC.

This discovery comes less than a week after researchers from Kryptowire identified several models of Android mobile devices that contain firmware that collects sensitive data about their owners and secretly transmits it to servers owned by a company named Shanghai Adups Technology Co. Ltd.

Among these mobile devices are also some BLU smartphones.

The origin of the vulnerability (CVE-2016-6564)

Those and other devices (roughly 55 device models) are open to attack because they sport the same firmware by Chinese software company Ragentek Group.

This firmware contains a binary that is responsible for enabling over-the-air (OTA) software updating, but unfortunately the mechanism is flawed.

For one, the update requests and supplied updates are sent over an unencrypted channel. Secondly, until a few days ago, two Internet domains that the firmware is instructed to contact for updates (the addresses are hardwired into it) were unregistered – meaning anybody could have registered them and delivered malicious updates and commands to compromise the devices.

Luckily, it was researchers from Anubis Networks that did it, and the move allowed them clock over 2.8 million devices that contacted the domains in search for updates. Many of these devices are located in the US, as most of the models are sold by Best Buy and Amazon.

But even though the domains are now owned by these security companies, the fact that updates are delivered over an unencrypted channel allows attackers with a MitM position to intercept legitimate updates and exchange them for malicious ones (the firmware does not check for any signatures to assure the updates’ legitimacy).

MitM attackers could also send responses that would make the devices execute arbitrary commands as root, install applications, or update configurations.

Is this a deliberate backdoor/rootkit?

It does seem so. According to the researchers, the binary that performs OTA update checks – debugs, in the /system/bin/ folder – runs with root privileges, but its presence and the process it starts are being actively hidden by the firmware.

“It’s unclear why the author of this process wanted to purposely hide the presence of the process and local database on the device, although it’s worth noting that it did not attempt to do this comprehensively,” they researchers noted.

But they told Ars Technica that believe the backdoor capabilities were unintentional, and Ragentek is yet to comment on the discovery.

How to protect yourself?

If you’re using one of the affected devices, the right solution is to implement an update with the fix – when it becomes available. But make sure to download the update only over trusted networks and/or use a VPN to encrypt and protect the traffic from tampering.

So far, only BLU has released such an update, but the fix has not yet been checked.

A workaround that should keep you safe until a security update includes using your device only on trusted networks (eg. your home network, as opposed to open or public Wi-Fi).