Second Chinese Firm In a Week Found Hiding a Backdoor In Android Firmware

An anonymous reader quotes Bleeping Computer: Security researchers have discovered that third-party firmware included with over 2.8 million low-end Android smartphones allows attackers to compromise Over-the-Air (OTA) update operations and execute commands on the target's phone with root privileges. This is the second issue of its kind that came to light this week after researchers from Kryptowire discovered a similar secret backdoor in the firmware of Chinese firm Shanghai Adups Technology Co. Ltd.. This time around, the problem affected Android firmware created by another Chinese company named Ragentek Group.
It apparently affects more than 55 low-end/burner phones from BLU, Infinix Mobility, DOOGEE, LEAGOO, IKU Mobile, Beeline, and XOLO. According to the article, the binary performing the insecure updates "also includes code to hide its presence from the Android OS, along with two other binaries and their processes... Without SSL protection, this OTA system is an open backdoor for anyone looking to take control of it." Even worse, three domains were hard-coded into the binaries, two of which were unregistered, according to the researchers. "If an adversary had noticed this, and registered these two domains, they would've instantly had access to perform arbitrary attacks on almost 3,000,000 devices without the need to perform a Man-in-the-Middle attack."

Why are security firms so full of shit?

[LostMyBeaver]

1) "By determining that it utilized Rui Maciel’s JSON library, it was straightforward to reverse the expected data structure of the server response. As shown below:"

What the hell did this have to do with anything... it forced me to hate reading the entire rest of the article. I mean it was like reading "It's a UNIX machine, I know this!" If this sentence has any meaning what-so-ever to the author other than to show off that he could identify linked libraries... well never mind... not worth writing a book on it here.

2) It's an oob updater

It's very likely that if the intent of this code was to be malicious, it would have been hidden better. From what I can see, it looks like they were trying to keep the software installed and operating even through shutting down most of android and bringing it back up.

By using a fixed process id, it makes it easier to identify numerically and by removing the code which appears to be clearly marked as debugging code from the process output, it might even be possible that the process will survive cycling through run levels. It's also clear that it should allow the external server to bring the phone back up.

3) Likely a development tool more than an updater.

It is very likely that the developer who was making the firmware base image made a series of tools that would allow pushing and testing a lot of changes remotely. It feels like a "poor man's version" of RSH on top of a REST API.

4) Six month timer?

In other words, it probably just means "go to sleep... I'm done". Indefinite is more appropriate for production code.

If they were really trying to hide something, do you think they would have made it so obvious?

This was just the case of a programmer dropping his/her image building and debugging code into the production image. He/she was probably also asked to add some possibility to update the firmware of the image remotely for tech support reasons. He/she probably just figured "I already have something".

At the end of the article I take this away

  DANGER!!!! Some developer left highly insecure debugging code in the firmware used on a gazillion phones.

  DANGER!!!!!!! There's some publicity loving series of security losers trying to make headlines and sound important trying to scare everyone when in reality, they no have their own backdoor to a gazillion phones and didn't even consider ... "Wait... I could run a remote command to fix the problem and make it a non-issue".

Yes... instead of trying to make headlines and run a fund raiser, you didn't even need to actually tell us about it, you could have just simply pushed a patch that any phone connecting to one of those URLs would be patched.

Re:Selling my Android, getting an iPhone

[lucm]

Damn right. Why have a Chinese backdoor when you can have an American backdoor instead?

The iPhone is not American. It's designed by Indian rental employees and manufactured by Chinese slaves.