Mobile Security

3 million Android phones vulnerable due to pre-installed rootkit

Nikolaos Chrysaidos, 21 November 2016

A backdoor has been discovered that could allow attackers to take complete control of certain Android devices.

Security researchers at BitSight (AnubisNetworks) have found a backdoor that affects 3 million budget Android devices. The backdoor makes the phones vulnerable to a Man-in-the-Middle (MITM) attack and could allow attackers to remotely execute commands to take complete control of a device.

The vulnerability lies in the binary of an over-the-air update mechanism used by Ragentek, a Chinese company that provides Android firmware. The binary communicates to Ragentek’s server over an unencrypted channel. If taken advantage of, attackers could gain root privileges by executing arbitrary code.

According to BitSight, about 55 device models are affected. Based on the IP addresses of the devices that connected to BitSight’s sinkhole, most of the phones affected are based in the US. Devices affected include Blu Studio phones, Infinix phones, and Leagoo phones. A full list can be found here.

This backdoor has a history dating back to earlier this year when Observatoriodeseguridad reported about the vulnerability (part onepart two) in the Doogee Voyager D310.

Thanks to BitSight, all these domains are now sinkholed and no longer able to redirect to any malicious servers:

Rootkit-1.png

  • OYAG.PRUGSKH.COM
  • OYAG.PRUGSKH.NET

What to do if you're infected

If you have a device running Ragentek’s firmware, contact your device manufacturer. Avast Mobile Security detects this vulnerability as Android:CVE-2016-6564-A [PUP] and will indicate if your device could be vulnerable. According to CERT, BLU has provided an update to address the vulnerability.

While you are waiting for an update, you can protect yourself by using a VPN, like SecureLine VPN, when connecting to public Wi-Fi or other unsecure connections.

Get SecureLine VPN