Slashdot Mirror

← Back to Stories (view on slashdot.org)

Open Ports Create Backdoors In Millions of Smartphones (bleepingcomputer.com)

Posted by BeauHD on from the be-afraid-be-very-afraid dept.

An anonymous reader writes: "Mobile applications that open ports on Android smartphones are opening those devices to remote hacking, claims a team of researchers from the University of Michigan," reports Bleeping Computer. Researchers say they've identified 410 popular mobile apps that open ports on people's smartphones. They claim that an attacker could connect to these ports, which in turn grant access to various phone features, such as photos, contacts, the camera, and more. This access could be leveraged to steal photos, contacts, or execute commands on the target's phone. Researchers recorded various demos to prove their attacks. Of these 410 apps, there were many that had between 10 and 50 million downloads on the official Google Play Store and even an app that came pre-installed on an OEMs smartphones. "Research on the mobile open port problem started after researchers read a Trend Micro report from 2015 about a vulnerability in the Baidu SDK, which opened a port on user devices, providing an attacker with a way to access the phone of a user who installed an app that used the Baidu SDK," reports Bleeping Computer. "That particular vulnerability affected over 100 million smartphones, but Baidu moved quickly to release an update. The paper detailing the team's work is entitled Open Doors for Bob and Mallory: Open Port Usage in Android Apps and Security Implications, and was presented Wednesday, April 26, at the 2nd IEEE European Symposium on Security and Privacy that took place this week in Paris, France."

5 of 122 comments (clear)

  1. List of Problematic Apps? by SmilingBoy · · Score: 3, Informative

    Is there a list of the problematic apps that they found? Their paper - which can be found here: http://web.eecs.umich.edu/~jac... - lists a few example, but it would be useful to know the full list.

  2. ES File Explorer by drinkypoo · · Score: 5, Informative

    ES File Explorer is apparently the poster child.

    I am now using Solid Explorer which is just as good in all the other ways

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  3. Re:Open ports by nyet · · Score: 4, Informative

    Can you suggest a reason why a smartphone application should listen on a port without you knowing it?

  4. Re:Open ports by nyet · · Score: 4, Informative

    BTW that is absolutely false. While an already open (and active) point to point connection is relatively hard to compromise, an application that is listen()ing on a port can be compelled to accept data from any source, at will, and repeatedly.

    This makes buffer overflow (or other remote exploits) attacks trivial to both test and execute successfully.

  5. Re:Open ports by Kokuyo · · Score: 3, Informative

    Well, if my flashlight app wants to open a listening port on the network, that in and of itself seems fishy to me. Furthermore, the more services are listening for connections, the higher the chance that one of them is badly coded and will allow an attacker to get access to my data.