Security News

3 million Android phones vulnerable due to pre-installed rootkit

Nikolaos Chrysaidos, Nov 30, 2016 2:27:55 PM

A backdoor has been discovered that could allow attackers to take complete control of certain Android devices.

backdoor_burglar.jpg

Security researchers at BitSight (AnubisNetworks) have found a backdoor that affects 3 million budget Android devices. The backdoor makes the phones vulnerable to a Man-in-the-Middle (MITM) attack and could allow attackers to remotely execute commands to take complete control of a device.

The vulnerability lies in the binary of an over-the-air update mechanism used by Ragentek, a Chinese company that provides Android firmware. The binary communicates to Ragentek’s server over an unencrypted channel. If taken advantage of, attackers could gain root privileges by executing arbitrary code.

According to BitSight, about 55 device models are affected. Based on the IP addresses of the devices that connected to BitSight’s sinkhole, most of the phones affected are based in the U.S. Devices affected include Blu Studio phones, Infinix phones, and Leagoo phones. A full list can be found on here.

This backdoor has a history dating back to earlier this year when Observatoriodeseguridad reported about the vulnerability (Part One - Two) in the Doogee Voyager D310.

Thanks to BitSight, all of the domains below are now sinkholed and are no longer able to redirect to any malicious servers:

Rootkit-1.png

  • OYAG.PRUGSKH.COM
  • OYAG.PRUGSKH.NET

What to do if you are infected

If you have a device running Ragentek’s firmware, contact your device manufacturer. Avast Mobile Security detects this vulnerability as Android:CVE-2016-6564-A [PUP] and will indicate if your device could be vulnerable. According to CERT, BLU has provided an update to address the vulnerability.

While you are waiting for an update, you can protect yourself by using a VPN, like SecureLine VPN, when connecting to public Wi-Fi or other unsecure connections.

Get SecureLine VPN