Nearly 3 Million Android Phones Vulnerable To OTA Update Hijacking

by Brandon Hill — Sunday, November 20, 2016, 03:18 PM EDT

It’s another day, and another backdoor Android exploit has been discovered. Last week, we brought you news of a secret backdoor installed on a number of budget Android devices that was beaming personal information (test messages, phone numbers, contacts) to servers in China. Today, we’re learning of another exploit that once again targets low-cost Android smartphones.

At the center of the discussion this time around is the Ragentek firmware used on a number of Android smartphones. Researchers from BitSight Technologies discovered two internet domains that were hardwired into the firmware. Until recently these domains were unregistered, so BitSight took it upon itself to register the domains to do a bit of testing.

With BitSight now in possessions of the domains, it discovered that 2.8 million unique devices have sought to connect using the exploit. The firmware dangerously allows apps with escalated privileges to be installed, with BitSight writing, “The fact that the device reached out to defined head-ends immediately after initialization implies that the devices are affected by this issue out of the box, and were not subsequently compromised through other means, such as through a subsequent update.”

One BitSight researcher took to Twitter to describe the scope of the vulnerability:

@dangoodin001 We're seeing lots of connections coming from all sorts of sectors, including healthcare, government and banking. Scary stuff.
— João Gouveia (@jgouv) November 18, 2016

The man-in-the-middle attack (MITM) that is possible with this type of exploit is compounded by the fact that Ragentek does not encrypt communications sent to and from affected Android devices. Even more damning is the fact that code-signing is also not employed, which would allow a remote attacker to execute malicious code with root privileges using the over-the-air update mechanism.

Of the nearly 3 million Android devices that are affected, 55 different models are caught up in the mix. Unfortunately for BLU, whose devices were fingered in last week’s exploit, six of its current models are affected by this firmware malady. In fact, BitSight’s examination of the MITM attack took place on a BLU Studio G, which purchased from Best Buy. According to CERT, BLU has issued an update to address the issue on its phones.

It should be noted that while BitSight is in sole possession of two domains that are hardwired into firmware (and thus saving millions of Android users from potential attacks), there is still one registered domain that could leave users open to attack.

Tags: Firmware, Android, backdoor, (nasdaq:goog)

Brandon Hill

Brandon received his first PC, an IBM Aptiva 310, in 1994 and hasn’t looked back since. He cut his teeth on computer building/repair working at a mom and pop computer shop as a plucky teen in the mid 90s and went on to join AnandTech as the Senior News Editor in 1999. Brandon would later help to form DailyTech where he served as Editor-in-Chief from 2008 until 2014. Brandon is a tech geek at heart, and family members always know where to turn when they need free tech support. When he isn’t writing about the tech hardware or studying up on the latest in mobile gadgets, you’ll find him browsing forums that cater to his long-running passion: automobiles.

Opinions and content posted by HotHardware contributors are their own.

Which New GPU Is For You?

Stay updated with the latest news and updates. Subscribe to our newsletter!

Subscribe Now