Nmedia - Fotolia

How did firmware create an Android backdoor in budget devices?

An Android backdoor was discovered in the Ragentek firmware used in almost three million low-cost devices. Expert Michael Cobb explains how to prevent attacks on affected devices.

An Android backdoor was found in the Ragentek firmware, which is used in almost three million budget devices, that allows attackers to use man-in-the-middle attacks and gain full root access. How does this backdoor work, and what can be done to address it?

Firmware is low-level code stored in nonvolatile memory, such as ROM, erasable programmable read-only memory or flash memory, to allow for updates. It is embedded into hardware during the manufacturing process, and contains the basic instructions that allow the hardware to function. Like operating system and application software, firmware can contain exploitable vulnerabilities.

Security researchers from BitSight Technologies Inc. found that firmware in various brands of low-cost Android phones left these devices vulnerable to code execution attacks due to a hidden backdoor. The Android backdoor is a serious security failing, as an attacker could use it to remotely seize full control of a vulnerable device. Phones from BLU Products, Infinix and DOOGEE have been the most affected.

The firmware binary, developed by Ragentek Group in Shanghai, runs with root privileges, and is designed to deliver over-the-air updates, but it does so over an unencrypted channel. This not only exposes user-specific information during any communications, but also allows an attacker to remotely execute system commands on the devices as a privileged user via a man-in-the-middle (MitM) attack. This could lead to the installation of malware with system privileges or configuration changes.

The firmware actively tries to hide itself, excluding references to the binary name in the list of running processes returned by the Linux ps and top commands, while the Java framework has also been modified to hide references to the process.

Two unregistered internet domain names are hardcoded into the firmware, which, if registered, would give the owner the ability to remotely seize full control of a vulnerable device, without the need to perform a MitM attack. AnubisNetworks, a subsidiary of BitSight Technologies in Cambridge, Mass., has since registered these domains to prevent such an attack from occurring.

The Android backdoor vulnerability has been assigned CVE-2016-6564, and the CERT notes include a list of vulnerable models discovered so far. The backdoor capabilities may well have been unintentional, but enterprises should take this problem seriously, as many phones are unlikely to ever receive an update. So far, only BLU Products appears to have released a fix, and its effectiveness, and whether it's an automatic or manual update, is unknown.

Although AnubisNetworks now owns two of the hardcoded domains, a sophisticated attack team could temporarily hijack the IP addresses that point to them and carry out any number of attacks. To check if a phone contains this Android backdoor, monitor for outgoing connections to the following domains: oyag[.]lhzbdvm[.]com, oyag[.]prugskh[.]net and oyag[.]prugskh[.]com.

Until an effective patch is installed, affected users should only connect to the internet using VPN software.

Next Steps

Find out how the Pork Explosion vulnerability is used to create an Android backdoor

Learn how to differentiate between a security backdoor and a vulnerability

Discover how the Linux kernel Dirty COW flaw can be used to attack Android devices

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing