New Backdoor Found in Firmware of Nearly Three Million Android Devices

Sharing is caring!


Nearly three million android devices are vulnerable to man-in-the-middle (MITM) attacks that could allow attackers to remotely execute arbitrary code with root privileges, turning over full control of the devices to hackers.

Ragentek Android software contains an over-the-air update mechanism that communicates over an unencrypted channel, which can allow a remote attacker to execute arbitrary code with root privileges.

“All transactions from the binary to the third-party endpoint occur over an unencrypted channel, which not only exposes user-specific information during these communications, but would allow an adversary to issue commands supported by the protocol. One of these commands allows for the execution of system commands,” said Dan Dahlberg and Tiago Pereira, researchers with Anubis Networks who disclosed the vulnerability .

Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit,” the CERT advisory associated with this vulnerability warned on Thursday.

Affected Android Devices

This binary is reported to be present in the following devices:

BLU Studio G
BLU Studio G Plus
BLU Studio 6.0 HD
BLU Studio X
BLU Studio X Plus
BLU Studio C HD
Infinix Hot X507
Infinix Hot 2 X510
Infinix Zero X506
Infinix Zero 2 X509
DOOGEE Voyager 2 DG310
LEAGOO Lead 3i
IKU Colorful K45i
Beeline Pro 2
XOLO Cube 5.0

This analysis revealed two critical discoveries:

Firstly, the vulnerability described above allows for users to be subjected to significant attacks in positions where an adversary can perform a Man-in-the-Middle attack.

Secondly, this OTA binary was distributed with a set of domains preconfigured in the software. Only one of these domains was registered at the time of the discovery of this issue. If an adversary had noticed this, and registered these two domains, they would’ve instantly had access to perform arbitrary attacks on almost 3,000,000 devices without the need to perform a Man-in-the-Middle attack. AnubisNetworks now controls these two extraneous domains to prevent such an attack from occurring in the future for this particular case.

To Mitigate this issue, apply an update provide by vender, only BLU Products has issued a software update to address this vulnerability, though BitSight researchers haven’t yet tested the patch to analyze its effectiveness. However, the remaining Android devices might still be affected.

Join The Discussion