Open Ports Create Backdoors In Millions of Smartphones

An anonymous reader writes: "Mobile applications that open ports on Android smartphones are opening those devices to remote hacking, claims a team of researchers from the University of Michigan," reports Bleeping Computer. Researchers say they've identified 410 popular mobile apps that open ports on people's smartphones. They claim that an attacker could connect to these ports, which in turn grant access to various phone features, such as photos, contacts, the camera, and more. This access could be leveraged to steal photos, contacts, or execute commands on the target's phone. Researchers recorded various demos to prove their attacks. Of these 410 apps, there were many that had between 10 and 50 million downloads on the official Google Play Store and even an app that came pre-installed on an OEMs smartphones. "Research on the mobile open port problem started after researchers read a Trend Micro report from 2015 about a vulnerability in the Baidu SDK, which opened a port on user devices, providing an attacker with a way to access the phone of a user who installed an app that used the Baidu SDK," reports Bleeping Computer. "That particular vulnerability affected over 100 million smartphones, but Baidu moved quickly to release an update. The paper detailing the team's work is entitled Open Doors for Bob and Mallory: Open Port Usage in Android Apps and Security Implications, and was presented Wednesday, April 26, at the 2nd IEEE European Symposium on Security and Privacy that took place this week in Paris, France."

List of Problematic Apps?

[SmilingBoy]

Is there a list of the problematic apps that they found? Their paper - which can be found here: http://web.eecs.umich.edu/~jac... - lists a few example, but it would be useful to know the full list.

Re:List of Problematic Apps?

[nyet]

This is exactly what netstat -l is good for.

https://play.google.com/store/...

Granted, if it is a transient listen(), netstat -l won't catch it (e.g. something is required to trigger the listen), but long lived, persistent listen()s will show up.

Re: List of Problematic Apps?

[jouassou]

I also don't store contact information in my phone.

So your phone doesn't know your phone number? Your email? Your Gmail / Facebook / WhatsApp account? Your mom's phone number? Your colleagues email addresses? Login cookies for any websites such as Amazon or EBay? WiFi password for your home network, which can be geographically located thanks to Google's positioning system? Text messages where someone casually mentions your name? If you answered yes to any of the above, a sufficiently determined attacker can probably figure out who you are. If you answered no to everything, why do you have a smartphone in the first place?

Re: List of Problematic Apps?

[sumdumass]

Presumably, you would know because it would be listed in the open ports. I suppose it could filter it's own results though.

You could just install a terminal app and run the built in netstat command? I like termux but choose whatever. You should be able to pipe the output into a text document that you can move to a computer with a full screen to inspect. The thing about using a native OS command in a terminal window instead of a utility app to run the command is that it will not or will be unlikely to be able to censor out its own vulnerabilities (open ports). This is especially true if you vary the command and look for discrepancies like using the -lt switch or -tp or -ac and watching for changed information over time.

Re: List of Problematic Apps?

[AK+Marc]

Your wording indicates that you have a secure Android phone, and you don't use it. I think you are trolling.

Little Snitch

[amiga3D]

How about a port of "little snitch" to android phones. I've got it on my Macs and I love it.

Re:Little Snitch

How about a port of "little snitch" to android phones. I've got it on my Macs and I love it.

Sounds like something that would require you to have administrator privileges to your phone. The powers that be (Google, Apple, Samsung etc.) have decided that this is an "insecure" configuration ("insecure" meaning it would allow you to be able to control your own damn phone)...

No mention of Apple or iOS

[divide+overflow]

I searched the PDF of the paper and found no mention of either Apple or iOS, but Android and Java are mentioned multiple times.

ES File Explorer

[drinkypoo]

ES File Explorer is apparently the poster child.

I am now using Solid Explorer which is just as good in all the other ways

Re:ES File Explorer

ES has been a spying piece of shit for a couple years now.

Re:Open ports

[nyet]

Can you suggest a reason why a smartphone application should listen on a port without you knowing it?

Re:Open ports

[FrankHaynes]

I don't need to know what ports have been opened by an app, as long as it works. It's what the app does with that connection that is of interest.

I'd be more concerned with the app reporting back to HQ with whatever data they mine from your use of it.

Re: Open ports

Because you're going to get really tired of being notified real fast.

Re: Open ports

[K.+S.+Kyosuke]

Because it's essential for its operation, for example?

Dangerous comment

[SuperKendall]

Open ports by themselves don't constitute a security risk.

This comment is sadly the kind of horrifically dangerous and stupid comment that permeates the Android technical community.

If a port is opened on an Android device, that 100% means that an app opened it for some reason, which means that 100% there is for some period of time going to be a service running that receives on that port. Maybe the user deletes the app but why would they? Most people wouldn't bother. Many probably do not even know HOW.

So that means that ALL of the most vulnerable people are at risk, which you casually dismiss because an open port "means nothing", the way an orange glow and smoke pouring from a house "means nothing" until the external edifice is reduced to ashes...

I mean, a separate comment I saw pointed out that android users really should use netstat of the phone. Good grief.

This is why I cannot in good conscious do anything except steer every non-technical user away from Android.

Re: Dangerous comment

[Zero__Kelvin]

This comment is sadly the kind of horrifically dangerous and stupid comment that permeates the Android technical community.

I wholeheartedly agree. Your comment is sad, stupid, and indicative of incompetence.

Re:Dangerous comment

[110010001000]

What? That makes no sense. What is the difference between an open port on an Android device and the dozens that are open on your personal computer? Nothing. An Android device is just a computer. Really, people are stupid.

"If a port is opened on an Android device, that 100% means that an app opened it for some reason"

Really? Genius. You must be a "security researcher".

Re:Dangerous comment

[gweihir]

I fully agree. Even on servers, one of the first things you do in a hardening-review is to scan for open ports and then evaluate the security of the software that opens each port. An App is likely to be horribly insecure and one has to ask what business _client_ software has opening listening ports in the first place.

Of course, all that requires a bit of actual security knowledge. There are far too many wannabes that think they understand IT security. Probably the reason so much software is insecure.

Re:Dangerous comment

[110010001000]

"evaluate the security of the software that opens each port"

Unless you are running open source you aren't evaluating anything. An "app" can do WHATEVER IT WANTS. Any closed source software can. Who cares about "open ports"? You don't know what the software is doing. It could steal all your information and connect() to a server in China. And you care about "open ports"?

Re:Dangerous comment

[swb]

I wonder if a possible explanation is just sloppy coding by app programmers, cutting and pasting huge swaths of code, libraries, etc, that they don't understand to get one function.

Even the *programmer* doesn't know what ports they're cut-and-pasted code is opening.

Re:Dangerous comment

[110010001000]

Possibly. A rogue app would just open a connection to china anyway and send your data that way. It wouldn't listen for incoming connections since phones are mostly behind carrier NAT. Worrying about open ports is silly. You don't know what the hell the app is doing.

Re:Dangerous comment

[Ol+Olsoc]

Open ports by themselves don't constitute a security risk.

This comment is sadly the kind of horrifically dangerous and stupid comment that permeates the Android technical community.

So I wasn't the only person who read that as absolute assholery. An open port is always a security risk.

Almost as big a risk as someone declaring it isn't a risk.

Re: Dangerous comment

[Ol+Olsoc]

This comment is sadly the kind of horrifically dangerous and stupid comment that permeates the Android technical community.

I wholeheartedly agree. Your comment is sad, stupid, and indicative of incompetence.

Meh, howbow you explain how open ports are not a security risk instead of calling anyone who you disagree with "stupid".

Re:Dangerous comment

[gweihir]

You really have no clue how this works. You are only heaping more egg on your face.

Re: Dangerous comment

[gweihir]

And that is just the point. The other one is that because your phone does not have a static IP address, there is actually no sane reason to have a listening port open.

Re: Dangerous comment

[sumdumass]

open ports are necessary for communication. Open ports are ideal for phones. Apps that open ports are expecting communications of some sort and as long as they are updated and not full of bugs, it is not a problem.

In a server environment when the entire role of the system is to act as a server, you close all unneeded open ports not pertaining to that role because what is important is what is listening on the open port. When you have something not needed listening, you are not only chewing up resources the system could be using to serve should the need arise, but allow attack vectors that are not monitored as closely as the processes critical to the serving and it is easier to overlook security flaws. However, this is a different situation than what is essentially a multi purpose desktop computer where you install software and expect it to do different things at different times. If what you install needs a port open, it isn't a bad thing unless what you install is insecure or malicious.... That is where the problem is- not the open port.

Re: Dangerous comment

[CanadianRealist]

when the entire role of the system is to act as a server, you close all unneeded open ports not pertaining to that role

When you have something not needed listening [ ... ] allow attack vectors that are not monitored as closely

what you install needs a port open, it isn't a bad thing unless what you install is insecure or malicious

So on a dedicated server there's really no need to close unneeded ports. Simply don't install anything insecure or malicious on your server and everything will be fine.

Re: Dangerous comment

[Ol+Olsoc]

open ports are necessary for communication. Open ports are ideal for phones. Apps that open ports are expecting communications of some sort and as long as they are updated and not full of bugs, it is not a problem.

that "as long as" comment is what makes all the difference in the world.

Re: Dangerous comment

[Ol+Olsoc]

Simply don't install anything insecure or malicious on your server and everything will be fine.

And never never ever get a virus or malware. It'll be okay. As long as everything is on the up and up, you'll have no problems.

Re: Dangerous comment

[sumdumass]

If you are willing to monitor all the software that uses those ports for security bugs, access attempts and so on and ensure that they are legitimate and safe, then no, there is no need to bother closing unneeded ports. At the same time, if they are not needed, then why have them open in the first place and make your life a lot harder? Best practices would dictate closing the unneeded ports simply because of how resource consuming and the effort needed to keep up with them.

Backdoors on millions of devices

[dknj]

How many people root their Android device? Has anyone looked into SuperSU and how the simple su binary works? Nope.

The su binary that is passed around for all rooted Android distros has no source. It is maintained by a random person with financial motivation to not be conservative with your privacy or security.

I don't think Android users really care about backdoors to be honest

Re:Backdoors on millions of devices

[nnull]

The problem is worse than that. Almost every damn ROM wants to include it. The more I use an Android device, the more I hate it. If it's not Samsung wanting to spy on me, it's some asshole that does when I want to root my phone. Switching to an Iphone just seems like the same problems exist there. Thing makes me feel like I'm using Windows 98 with all these applications that don't ever want to close and run in the background now, applications that seemingly seem innocent but probably are not.

firewall

[MrKaos]

Of course the problem can be reduced if we were allowed to control a root level firewall on our android or iphone devices.

But of course we are paying for phones so someone else can use them to suck data and use it to spy or advertise to me in a really creepy way. Pretty damn frustrating.

Re:firewall

[MrKaos]

I had frequent debates with idiots who couldn't comprehend why personal firewalls were fucking stupid.

It's hard to understand why if you don't explain yourself.

Just close the fucking ports

Should have told them to pull out the ethernet cable, hey why not just drop network support altogether.

But maybe you have something to offer, so why don't you enlighten me?

Re:firewall

[gweihir]

One of the reasons I do not trust smartphones. Unless I have root and can configure what I damn well please, it is an insecure device under control of an untrusted 3rd party.

Re:firewall

[drinkypoo]

Of course the problem can be reduced if we were allowed to control a root level firewall on our android or iphone devices.

On Android, DroidWall, AutoProxy and others use iptables. IOW, you can control a root level firewall on your Android devices. I doubt you can do it on iOS, but I wouldn't know because I don't actually care.

Re:firewall

[MrKaos]

On Android, DroidWall, AutoProxy and others use iptables.

I'll check those out, thanks!

Re: Open ports

[nyet]

Why should an app call listen()? For what operation?

Re:Open ports

[nyet]

Once more, for what reason should an app call listen()? Be specific.

Re:Open ports

[nyet]

BTW that is absolutely false. While an already open (and active) point to point connection is relatively hard to compromise, an application that is listen()ing on a port can be compelled to accept data from any source, at will, and repeatedly.

This makes buffer overflow (or other remote exploits) attacks trivial to both test and execute successfully.

Re: Open ports

[nyet]

There is a difference between calling listen() and connect().

Re: Open ports

[Barabul]

It depends on what the app does. It may be essential for the service it provides. 2 examples I use frequently - SSH Server and XServer XSDL.

Slashdot is at risk!

[moshiko]

The slashdot web server listens on port 80, that's a huge security risk!
Run home and wrap tin foil on your heads everyone!

Re:Slashdot is at risk!

[jon3k]

What webserver are you running on your phone? Were you aware?

Minimizing this like it's a non-issue is insane . The fact that apps can open random ports, which may then will inevitably be susceptible to remote attacks, is horrifying. You think IoT devices were bad, wait until the few hundred million phones with dozens or hundreds of apps installed get turned into botnets.

I'm all for asking questions like, "what apps?" Did you install an FTP server? Well obviously it opens a port. But isn't anyone concerned that these apps have the ability to open ports? How is this monitored, controlled and approved from Android devices?

Re: Open ports

[nyet]

We're not talking about server apps like sshd.. Obviously that would listen on 22. We're talking about random apps that call listen without your knowledge.

Re:Sounds like Bullshit

[Mojo66]

How about using Starbuck's W-LAN?

Security

[spiritwave]

Security? Meh.

Yes, I'm being sarcastic, if unclear.

Re:Sounds like Bullshit

[allo]

Do they assign every customer an own ip with open port? I do not think so ... I guess you're just getting a LAN IP and NAT to the internet again.
With IPv6 it gets interesting again ...

Re:Open ports

[110010001000]

Who said anything about "you knowing it"? You run closed source software, that is what you get. You don't know what an app is doing? My comment said nothing about that.

Re:Open ports

[110010001000]

If I wrote an app that allowed you to transfer photos to the phone via a socket, how would the photos get transferred? Magic? Most server type process needs ports. Open ports aren't the problem. Closed source is.

Re:Open ports

[gweihir]

Actually, given that most software (except some carefully hardened server software) is insecure, an open port is very much a risk if it connects to an app.

Re:Open ports

[gweihir]

Indeed. Methinks some people here do not understand the difference between a listening port and a port used in an active connection.

Re: Open ports

[110010001000]

One endpoint is calling listen(). Are you saying calling listen() is a security risk? That makes no sense. You have dozens of ports "open" on the computer you use every day. A mobile phone normally doesn't have a public IP anyway, and is behind a carrier NAT usually. I think you guys are confusing "open ports" with "closed source". Open ports are fine. The Internet is full of them. That is how things communicate. The problem is you don't know what these "apps" are doing.

Re:Open ports

[110010001000]

Really? You do realize your computer has dozens of "open ports" right now, right? How do you think computers communicate? Magic? Open ports are not by themselves a security risk.

Re: Open ports

[110010001000]

Any "app" you download can do ANYTHING THEY WANT without your knowledge. If you cared about security you wouldnt use them.

Re:Open ports

[Kokuyo]

Well, if my flashlight app wants to open a listening port on the network, that in and of itself seems fishy to me. Furthermore, the more services are listening for connections, the higher the chance that one of them is badly coded and will allow an attacker to get access to my data.

Re:Sounds like Bullshit

[afxgrin]

There i'd be more concerned they didn't enable wireless isolation on their router.

Re:Open ports

[110010001000]

Why is that more fishy then it connecting to a server in China and sending all your data there? What is the difference? You are installing a closed source app. It could be doing anything. If you were concerned about your data, why would you install a flashlight app from a random person?

Re:Open ports

[drinkypoo]

Open ports are not by themselves a security risk.

Not by themselves, but there's no such thing as an open port by itself. We're obviously talking about listening, so we need not discuss ports opened outward, although there are definitely ways to compromise an application in reverse, so opening a TCP connection outward is an opportunity for an incoming attack, if you connect to a host which is malicious (whether inherently, or because it has been compromised.) But at minimum, listening ports provide an opportunity to attack the networking stack of the device, and the application (or daemon, etc etc.) which opened the port. So yes, open ports absolutely do increase your security risk. If there are zero open ports on the device, then the only parts of the networking subsystem with which you interface are the network interface and its driver, which means there's less opportunity to exploit a vulnerability.

Saying open ports are not a security risk is like saying that open windows are not a security risk. What? Of course they are.

Android and apps: redux

[hughbar]

This was my most recent comment on Android and 'apps': https://slashdot.org/comments..... With this, I see no reason to change my mind. There's some reason we close all the ports we can and create solid firewall rules, isn't there?

I'm going to try this next: https://jolla.com/about/ but I'm not at all convinced that it's better.

Re: I can't believe people aren't running a firewa

[simpz]

I've not seen a good iptables app on f-droid. The ones I've seen seem to allow you to block all network activity for an app, I'd like to block inbound connections but allow outbound.

Re: I read that as Open Doors for Bob Marley

[mnemotronic]

Dos bowlos. Bobbin malwarey? Bop in male wary? Bah. Been Mallory? Maybe "Bob and Mallory" is an anagram for "anal dorm lobby"?

What a brilliant inside-the-box idea! Firewalls!

[Brannon]

Then maybe we can load up 3 layers of anti-virus software. And also just accept that your phone is going to get hacked every several months, so you should learn how to wipe it clean and start over. Or pay someone at Best Buy to do it for you. This is exactly the strategy that lead to Windows becoming a cesspool of malware during the early 2000s--let's totally replicate it with all the computers we keep in our pockets. You know, the ones that have our payment info and all of our contacts.

Did you notice that the article didn't note any security problems at all with iOS applications opening ports? I wonder why...

Re: Open ports

[BronsCon]

If nobody calls listen(), what do you connect() to?

Re:Open ports

"Security researcher" is the new term for failed CS majors.

The paper linked from the /. story explains how they analyzed the apps to check the vulnerability of the open ports. The paper is perfectly aware that open ports themselves are not necessarily dangerous, but emphasizes that roughly half of the smartphone apps that open ports do not secure them against attacks.

If "security researcher" is the new term for failed CS majors, what is the new term for people who criticize a paper without reading it?

Read Original Quote

[SuperKendall]

What is the difference between an open port on an Android device and the dozens that are open on your personal computer? Nothing.

That is absolutely correct, and we all know that personal computers are rife with security flaws.

Part of that is because services are sitting at a number of different open ports, every service that is doing so increases the chances of a successful attack vector being present on your system,

So now we bring forward this same, known to be failed and dangerous, security model to the phone? Remember the original comment was talking about how open ports "are not dangerous" - with the implication that nothing is necessarily behind those open ports. But just like the PC we all know today, if something opened those ports that almost certainly means there is a service sitting there, listening, possibly vulnerable...

Or would you like to ignore decades of failed PC security?

Re:Open ports

[gweihir]

I doubt that very much. If you actually had written any such software in any real sense, you would not write such nonsense. And incidentally, you have no idea how much networked software I have written.

App is not gone

[SuperKendall]

u are hand waving a bunch of dumb shit like "app opens a port and then the app is gone

There's the exact problem though. Why do you THINK the app is gone?

If the app has permission to open a port that means it had permission to have a long-running service sitting on that port.

Why else would it open the port if it were not going to do just that?

Most non-technical users rarely if ever delete apps...

I mean, I agree that android phones are utter shit

They aren't at all, they work really well.. it's just that they ALSO bring the same security risk as any PC to a group of users who by and large have no technical ability to understand, or deal with the risk they are taking on. Sp it propagates the decades of horrible security flaws the PC world has enjoyed, like bank account being compromised, or identities stolen.

It bullshit to claim that is OK, that it's not really a problem when it is a massive problem that affects the people who can least afford to deal with it.

Re:App is not gone

[AK+Marc]

If the app has permission to open a port that means it had permission to have a long-running service sitting on that port.

Nope. That's not how it works. An app installed with permission to open a port can't open that port until you run the app. That alone proves you wrong. Also, the app will shut the port when the app is closed.

With mobile data, the "cheapest" bandwidth solution for a chat app is to open a server connection when the app is opened, then, if the phone is reverse-reachable, close all connections. When a message comes in, the server sends it to the phone. The other way is to leave a connection open permanently. This uses more resources and data than an open port. Most don't do this because the NAT used blocks everything. And if that's the case, your complaint about open ports being a security risk seems unfounded.

Re:App is not gone

[SuperKendall]

Nope. That's not how it works. An app installed with permission to open a port can't open that port until you run the app. That alone proves you wrong.

That proves you either cannot read, nor think. The original post is complaining about an OPEN PORT you doofus, which means the app HAS BEEN RUN. I'm not saying anything about the app before it is run, I am talking about where there is OPEN PORT there is a security risk.

Also, the app will shut the port when the app is closed.

What is really funny here is that it just goes even further to prove what I was saying, that an open port on Android is a security risk. What you are saying is that that there cannot be an open port without an app behind it which means 100% of the time an open port on Android is a security risk.

Which is what I said.

So thanks for the support, even if you don't understand why it went that way.

The other way is to leave a connection open permanently. This uses more resources and data than an open port.

Innocent question - why would a malicious app care about using more resources and data?

Re:App is not gone

[AK+Marc]

If the app has permission to open a port that means it had permission to have a long-running service sitting on that port.

Nope. That's not how it works. An app installed with permission to open a port can't open that port until you run the app. That alone proves you wrong.

That proves you either cannot read, nor think. The original post is complaining about an OPEN PORT you doofus, which means the app HAS BEEN RUN.

The port can't be open unless the app is running. You said " it had permission to have a long-running service sitting on that port." That statement is wrong.

"What I explicitly said isn't what I meant"
Fuck you. I don't have time for liars. You were lying then or you are lying now. An app can't open a port unless it's running.

What you are saying is that that there cannot be an open port without an app behind it which means 100% of the time an open port on Android is a security risk.

You are presuming that all apps are malicious. You say any open port must point to an app (incorrect). I never said you can't have an open port withou an app behind it. I said that if an app opens a port, it can't do so while the app is closed. THe rest is more of your lies.

When you have to lie to make a point, you know, deep down, that you are wrong, but you'll lie about that too.

Innocent question - why would a malicious app care about using more resources and data?

They wouldn't. So a malicious app wouldn't have any inbound ports open. Only innocent apps would bother with open inbound ports. So you've proven yourself wrong again. But you are too emotionally invested in winning every argument on the Internet, that you'll lie about that too. The malicious apps may worry about open ports, so they don't get detected, so they'll not be detected in these scans. So the scan will only find "safe" ports. But you don't understand this, or understand and lie about understanding it. Either way, you are ineducable.

Re:Open ports

[sumdumass]

Probably the same reason why an app to connect to your blood pressure machine via blue tooth to retrieve readings needs access to your images, contacts, email, and account information. If you can figure that out, let me know too. But my best guess would be to update or change the advertising and track you (and the ads displayed) should you disable internet access for the app itself (say a card game that only needs internet for advertising).

Re: Open ports

[Zero__Kelvin]

Thank you for making it clear to anyone who might have a doubt that you literally don't understand how networking works in case anyone thought I was being too hard on you.

Re:Open ports

[nyet]

I would not hire you for any networking job.

Re:Open ports

[nyet]

Did you actually read my post?

Re:Open ports

[AK+Marc]

None. Though that doesn't address the issue that there has to be a vulnerability to exploit. If there's no vulnerability, more open ports don't decrease security.

And you've illogically assumed that N+1 is always worse than N. By that reasoning, as we know windows are less secure than walls, no building should have more than one window. Everyone can share it. Any more than that must be, by nyet's definition, insecure.

Re:Open ports

[AK+Marc]

You don't need an open port listening to scrape all your data and send it away. So why do the open ports matter more than the general security?

Re: Open ports

[AK+Marc]

Why do you pretend P2P doesn't exist? I guess every P2P app should be blocked because you can't think of a good reason for P2P to exist.

How would you have IoT? Every device calling to a paid central server that can lock you out of your house/garage if you give them a bad review? Or a secure P2P communication so your devices can talk to each other without using ransomware, I mean central server?

Re:Open ports

[nyet]

You use connect(), not listen()/accept()

Re: Open ports

[nyet]

listen() is fundamentally more dangerous than connect().

Re:Open ports

[CanadianRealist]

Sure, the app maker may scrape all your data and send it to their server. How is it in any way better to then leave a port open so that anyone can try and compromise your device and grab a copy for themselves?

Re:Open ports

[CanadianRealist]

what is the new term for people who criticize a paper without reading it?

Do we really need a new term? Can't we just keep calling them Slashdotters?

Re:Open ports

[AK+Marc]

With no apps installed, there'll be open ports. So it's up to you to prove that one more open port will greatly diminish the security of the device. And zero open ports still allows an malicious app to send everything to a central server, so the issue of "malicious apps" indicates they wouldn't need (or want) open ports.