Slashdot Mirror

← Back to Stories (view on slashdot.org)

Second Chinese Firm In a Week Found Hiding a Backdoor In Android Firmware (bleepingcomputer.com)

Posted by EditorDavid on from the phoning-home dept.

An anonymous reader quotes Bleeping Computer: Security researchers have discovered that third-party firmware included with over 2.8 million low-end Android smartphones allows attackers to compromise Over-the-Air (OTA) update operations and execute commands on the target's phone with root privileges. This is the second issue of its kind that came to light this week after researchers from Kryptowire discovered a similar secret backdoor in the firmware of Chinese firm Shanghai Adups Technology Co. Ltd.. This time around, the problem affected Android firmware created by another Chinese company named Ragentek Group.
It apparently affects more than 55 low-end/burner phones from BLU, Infinix Mobility, DOOGEE, LEAGOO, IKU Mobile, Beeline, and XOLO. According to the article, the binary performing the insecure updates "also includes code to hide its presence from the Android OS, along with two other binaries and their processes... Without SSL protection, this OTA system is an open backdoor for anyone looking to take control of it." Even worse, three domains were hard-coded into the binaries, two of which were unregistered, according to the researchers. "If an adversary had noticed this, and registered these two domains, they would've instantly had access to perform arbitrary attacks on almost 3,000,000 devices without the need to perform a Man-in-the-Middle attack."

43 of 108 comments (clear)

  1. In a pure FOSS world... by Anonymous Coward · · Score: 1

    ... many eyes would better catch the most blatant attempts at such shenanigans.

    1. Re:In a pure FOSS world... by Anonymous Coward · · Score: 1

      The GP refers to the possibility that the compiler is compromised to insert evil instructions even through it's compiling good code. From Thompson's work:

      "No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect."

    2. Re:In a pure FOSS world... by ArchieBunker · · Score: 2

      Right, ok like how all those eyes found the heart bleed bug in SSL?

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
    3. Re:In a pure FOSS world... by Anonymous Coward · · Score: 1

      Right, ok like how all those eyes found the heart bleed bug in SSL?

      "most blatant attempts at shenanigans".

      Bugs and extreme clever bits of TLA subversion both would still happen. Heart bleed would get found because as the herd security evolves, I think we would get to significant enough deployment of hard core full network analysis on each device (read: phone) and in enough cases outright pattern whitelisting that the paranoid could have even a bit of confidence against such things. Part of the "trust us we know whats best, don't look under the covers" pre-Snowden mentality is what might have severely amplified the number of never-detected heart bleed exploitations in the wild before public disclosure. Now if that helped the NSA prevent a million child molestations or terror attacks, then ... who knows, not I.

    4. Re:In a pure FOSS world... by Anonymous Coward · · Score: 1

      Of course there is. If the compiled output matches the binary release then you are fine. Otherwise you don't know.

      Still, many Android phone manufacturers have deiced to lock down the binaries as hard as they can, but not all.
      There are still a few Chinese brands where you are allowed to install whatever system you like without voiding the warranty.
      They just don't give support on custom builds. If you want support you will have to load their official binaries back on the phone.

      It's a bit sad that you have to look to the Chinese market to find the things you would expect from free market capitalism.

  2. Re: Strange... by Anonymous Coward · · Score: 5, Funny

    iPhone users experience a different sort of "backdooring". Now put your man bag down and taste my latte.

  3. Duh! by Ol+Olsoc · · Score: 1

    It's in all of them. If it hasn't been found in your Android, it just hasn't been found - yet.

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  4. The solution is obvious... by SeaFox · · Score: 4, Funny

    We just have to avoid all phones built in China.
    Oh, wait...

    1. Re:The solution is obvious... by SeaFox · · Score: 1

      Google Pixel and most of the HTC phones are made in Taiwan. Also Apple will soon begin to produce some of their phones in India.

      I betcha the only iPhones Apple will be making in India are the ones for the Indian market. Much like making iPhones in Brazil because of their ridiculous import tariffs.

  5. My BLU Studio 5.0C not affected by Zombie+Ryushu · · Score: 1

    I just checked for this binary, and it was not on my phone. I did have a binary file called debuggerd but it was not the same as debugs.

    1. Re:My BLU Studio 5.0C not affected by Anonymous Coward · · Score: 1

      How did you check for the binary? From TFA: "The binary responsible for the firmware OTA update operations also includes code to hide its presence from the Android OS, along with two other binaries and their processes."

    2. Re:My BLU Studio 5.0C not affected by Zombie+Ryushu · · Score: 1

      I have root, a USB Cable, and a Full Rom dump of my firmware stored on my Hard Drive. I just used adb. I su to root as well.

  6. Why are security firms so full of shit? by LostMyBeaver · · Score: 5, Informative

    1) "By determining that it utilized Rui Maciel’s JSON library, it was straightforward to reverse the expected data structure of the server response. As shown below:"

    What the hell did this have to do with anything... it forced me to hate reading the entire rest of the article. I mean it was like reading "It's a UNIX machine, I know this!" If this sentence has any meaning what-so-ever to the author other than to show off that he could identify linked libraries... well never mind... not worth writing a book on it here.

    2) It's an oob updater

    It's very likely that if the intent of this code was to be malicious, it would have been hidden better. From what I can see, it looks like they were trying to keep the software installed and operating even through shutting down most of android and bringing it back up.

    By using a fixed process id, it makes it easier to identify numerically and by removing the code which appears to be clearly marked as debugging code from the process output, it might even be possible that the process will survive cycling through run levels. It's also clear that it should allow the external server to bring the phone back up.

    3) Likely a development tool more than an updater.

    It is very likely that the developer who was making the firmware base image made a series of tools that would allow pushing and testing a lot of changes remotely. It feels like a "poor man's version" of RSH on top of a REST API.

    4) Six month timer?

    In other words, it probably just means "go to sleep... I'm done". Indefinite is more appropriate for production code.

    If they were really trying to hide something, do you think they would have made it so obvious?

    This was just the case of a programmer dropping his/her image building and debugging code into the production image. He/she was probably also asked to add some possibility to update the firmware of the image remotely for tech support reasons. He/she probably just figured "I already have something".

    At the end of the article I take this away

      DANGER!!!! Some developer left highly insecure debugging code in the firmware used on a gazillion phones.

      DANGER!!!!!!! There's some publicity loving series of security losers trying to make headlines and sound important trying to scare everyone when in reality, they no have their own backdoor to a gazillion phones and didn't even consider ... "Wait... I could run a remote command to fix the problem and make it a non-issue".

    Yes... instead of trying to make headlines and run a fund raiser, you didn't even need to actually tell us about it, you could have just simply pushed a patch that any phone connecting to one of those URLs would be patched.

    1. Re:Why are security firms so full of shit? by Anonymous Coward · · Score: 4, Insightful

      But you're missing the point, that if OTHER actors were to find these issues out ahead of time, 3 million + phones would be rootable by simply registering a couple of otherwise unclaimed domain names. That's not a "backdoor" as much as it is an open hole to the backyard...

    2. Re:Why are security firms so full of shit? by lucm · · Score: 1

      More devices to join the IoT botnets and take down the interwebs. To anyone expecting to use their new game console on Christmas day this year: it would be wise to have a Plan B that works offline (such as sex or Monopoly).

      --
      lucm, indeed.
    3. Re:Why are security firms so full of shit? by LostMyBeaver · · Score: 2

      Nope... I see the point... they caught the problem.. they even mitigated it. Now they possess two domain names that can be used to root 3 million+ firms and frankly, I don't have much interest in a company that gets its rocks off on spreading FUD like they're the White House as a fund raiser. I also don't trust them.

      Now that they have those domains AND can execute commands on those phones AND have even used them for information gathering on all those phones, why not push something on to the end of /etc/hosts to block those three domains. How do we know they're not gathering terabytes of nudie pictures of 14 year old boys taken by kids who heard sending pictures of your penis to a girl is a great way to get lucky?

      Better yet, they have no advertised that they are a great target to hack to get access to 3 million phones. Most security companies have the worst security themselves. This is because anyone they have that is any good doesn't work on their network but instead is being billed out to customers.

  7. Re:Fines? by FatdogHaiku · · Score: 2

    Will the companies be fined? If not, they won't change anything.

    In a better universe where ponies grow on trees the companies would get class action sued...

    Also, no one would picnic under trees...

    --
    You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
  8. Re:Another reason I love my Lumia by bug1 · · Score: 3, Interesting

    I still have my Nokia N900, real keyboard, battery lasts days, too old and obscure to be target platform.

    Security through obscurity ???

  9. Re:Selling my Android, getting an iPhone by lucm · · Score: 3, Informative

    Damn right. Why have a Chinese backdoor when you can have an American backdoor instead?

    The iPhone is not American. It's designed by Indian rental employees and manufactured by Chinese slaves.

    --
    lucm, indeed.
  10. Re:Fines? by skids · · Score: 1

    Also, no one would picnic under trees...

    I'm quite averse enough to arboreal detritus to avoid this already, but yeah.

    --
    Someone had to do it.
  11. Re:Another reason I love my Lumia by jonwil · · Score: 2

    Same here, my N900 still works great and I will keep using it until it dies, my carrier makes a change that means I cant use it anymore or I can somehow afford something better (which basically at this point means a Neo900)

  12. budget phones? by NottaMehere · · Score: 1

    i'm sure they're (whoever they are) are going to love the data they retrieve from the people who use low-end phones ;-)

  13. Re:Strange... by GrandCow · · Score: 1

    You can modify an iPhone all you want, you just void the warranty.

    Apple isn't the first company nor will it be the last to void warranty for opening a device up and messing with it.

    --
    "Well kids, you tried your best, and you failed. The lesson is, never try." -Homer Simpson
  14. Burner phones? by bigbang137 · · Score: 1

    Wait; we have burner smartphones now? When did this happen? 1) Buy burner 2) Deal !@#$ 3) Toss burner 4) Profit!

    1. Re:Burner phones? by SeaFox · · Score: 1

      Have you checked you local grocery store? Many sell prepaid smartphones right alongside the refill cards, with prices as low as $10 (yes, for an actual Android touchscreen smartphone).

  15. Re:Poor people are destroying Apple by Mashiki · · Score: 1

    What, you can't afford a more recent iPhone?

    Wait until you find out that some of us are still using 5+ year old smart phones. Mine works(everywhere), does what it needs to, and I see no reason to upgrade. If I could have gotten away with a simple dumb cell phone I would have, but they sell them quick and usually only with limited stock numbers.

    --
    Om, nomnomnom...
  16. ES File Explorer by drinkypoo · · Score: 2

    I was warned here that ES File was probably phoning home to China, so I removed it and my devices actually work better now. Is there any analysis of precisely what ES File Explorer is doing?

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    1. Re:ES File Explorer by Anonymous Coward · · Score: 1

      ES File Explorer is made by Baidu, a company that is well know for malpractices and spying on its users.

  17. Re:Poor people are destroying Apple by JaredOfEuropa · · Score: 1

    The 5s is 3 years "old", and still work fine after 3 years if you take care of it a little. Same for a 3 year old high end Android phone, I suspect. If you buy cheap rubbish however, you do need to replace it a lot sooner.

    --
    If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
  18. Re:Non Issue by campuscodi · · Score: 2

    They don't have it for the OS itself, but there are firmware components for OEM-specific software that receives OTA updates.

  19. Re:Selling my Android, getting an iPhone by Freischutz · · Score: 1

    The iPhone is not American. It's designed by Indian rental employees and manufactured by Chinese slaves.

    And the profits go to an Irish company.

    ...and there in a nutshell we have capitalism at work. Now stop bitching about it and get over it. The system is working as intended.

  20. Re:Another reason I love my Lumia by Parker+Lewis · · Score: 2

    Yeap, let's hail the privacy hero, Microsoft!

  21. Re:Another reason I love my Lumia by rholtzjr · · Score: 1

    Yup. Motorola Razor flip phone. Gotta love it.

  22. Heck we have Lifeline Smartphones by laurencetux · · Score: 1

    okay so they are simple back three versions things that can't do 80% of the things current phones can but if you are in the US i would bet that 80% of the PONFA folks have smart phones now.

  23. Dirty COW by Artem+S.+Tashkinov · · Score: 1

    Sometimes I've got a feeling that Google actively encourages security vulnerabilities considering that this particular local ROOT vulnerability affects at least 99% of all existing Android devices and Google skipped it in its latest security update.

    Welcome rootkits and unremovable trojans.

    1. Re:Dirty COW by The+MAZZTer · · Score: 1

      Google had already finalized the latest security update when Dirty COW was discovered. December's update will be their first chance to patch it.

      Furthermore given Android is an open platform ANYONE can develop for it, and this isn't Google's code at fault here. This is just a case of getting what you pay for when you buy a low-end Android phone that was made without adequate code review or security testing.

  24. Chinese Intelligence agency at work? by cold+fjord · · Score: 1

    I wonder if this is the work of the Chinese intelligence agencies? That would almost certainly be everyone's explanation if it happened in a phone from a US company.

    --
    much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
  25. Re:Fines? by cjjjer · · Score: 1

    Glad I have a BLU windows phone... phew...

  26. Re: Fines? by FatdogHaiku · · Score: 1

    But on the actual topic: is it possible that said "uneregistered domains" in the binaries are there as a convenience for dns-spoof exploits? I.e. if they resolve, the phone software knows the mitm state is active?

    That's not a bad end run for activation...

    --
    You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
  27. Re:Selling my Android, getting an iPhone by Khyber · · Score: 1

    Funny, it explicitly says in listing "GIGABYTE - PC Components - - Legacy - GC-RAMDISK"

    That's the iram. I own two. It is exactly both an HDD and software RAMDISK.

    Who's the sockpuppet, here?

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  28. Re:Selling my Android, getting an iPhone by budgenator · · Score: 1

    Deep in the bowel of Fort Meade, some Deputy Director of the NSA is saying "God Damn those fucking Chinese, who told them to put an extra backdoor into those cheap-assed burner phone? We paid for exclusivity!"

    --
    Apocalypse Cancelled, Sorry, No Ticket Refunds
  29. Re:It houses my pagefile lucm sockpuppet by lucm · · Score: 1

    APK,

    do you know what all those arguments you're having with other people have in common? You.

    I did a quick search and it appears that more than 80% of what you post is a reply to other people where you call them liars and sockpuppet - and you frequently post in the wrong threads. That makes you a net negative for this community.

    Why do you spend so much time and energy spamming the forum with your bitter, confused accusations? Are you one of those people who thrive on misery and anger?

    You're not a victim, APK. You're a nuisance.

    --
    lucm, indeed.
  30. Making themselves look bad by sentiblue · · Score: 2

    Now it would be stereotyping to direct the cheat intention at the Chinese... but the numerous occassions related to them is undeniable. First Lenovo, then other smaller fishes...

    My propossal to this problem is: To ban the brands indefinitely from the US and to permanently bar all executives at those companies from entering the US. This way, they learn their lesson... corporations stealilng from consumers is a crime that should not go unpunished. Phucking cheaters!!!