Open Ports Create Backdoors In Millions of Smartphones

An anonymous reader writes: "Mobile applications that open ports on Android smartphones are opening those devices to remote hacking, claims a team of researchers from the University of Michigan," reports Bleeping Computer. Researchers say they've identified 410 popular mobile apps that open ports on people's smartphones. They claim that an attacker could connect to these ports, which in turn grant access to various phone features, such as photos, contacts, the camera, and more. This access could be leveraged to steal photos, contacts, or execute commands on the target's phone. Researchers recorded various demos to prove their attacks. Of these 410 apps, there were many that had between 10 and 50 million downloads on the official Google Play Store and even an app that came pre-installed on an OEMs smartphones. "Research on the mobile open port problem started after researchers read a Trend Micro report from 2015 about a vulnerability in the Baidu SDK, which opened a port on user devices, providing an attacker with a way to access the phone of a user who installed an app that used the Baidu SDK," reports Bleeping Computer. "That particular vulnerability affected over 100 million smartphones, but Baidu moved quickly to release an update. The paper detailing the team's work is entitled Open Doors for Bob and Mallory: Open Port Usage in Android Apps and Security Implications, and was presented Wednesday, April 26, at the 2nd IEEE European Symposium on Security and Privacy that took place this week in Paris, France."

Backdoors on millions of devices

[dknj]

How many people root their Android device? Has anyone looked into SuperSU and how the simple su binary works? Nope.

The su binary that is passed around for all rooted Android distros has no source. It is maintained by a random person with financial motivation to not be conservative with your privacy or security.

I don't think Android users really care about backdoors to be honest

Re: List of Problematic Apps?

[jouassou]

I also don't store contact information in my phone.

So your phone doesn't know your phone number? Your email? Your Gmail / Facebook / WhatsApp account? Your mom's phone number? Your colleagues email addresses? Login cookies for any websites such as Amazon or EBay? WiFi password for your home network, which can be geographically located thanks to Google's positioning system? Text messages where someone casually mentions your name? If you answered yes to any of the above, a sufficiently determined attacker can probably figure out who you are. If you answered no to everything, why do you have a smartphone in the first place?