Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
thnMohit KumarTHN:ED3BE24AA77288E97891A4BD92AAA678
HistoryNov 03, 2015 - 2:11 a.m.

Backdoor in Baidu Android SDK Puts 100 Million Devices at Risk

2015-11-0302:11:00
Mohit Kumar
thehackernews.com
9
JSON

android-malware-hack

The China’s Google-like Search Engine Baidu is offering a software development kit (SDK) that contains functionality that can be abused to give backdoor-like access to a user’s device, potentially exposing around100 Million Android users to malicious hackers.

The SDK in question is Moplus, which may not be directly available to the public but has already made its way into more than 14,000 Android apps, of which around 4,000 are actually created by Baidu.

Overall, more than 100 Million Android users, who have downloaded these apps on their smartphones, are in danger.

Security researchers from Trend Micro have discovered a vulnerability in the Moplus SDK, calledWormhole, that allows attackers to launch an unsecured and unauthenticated HTTP server connection on affected devices, which works silently in the background, without the user’s knowledge.

Also Read: More than 26 Android Phone Models Shipped with Pre-Installed Spyware

This unsecured server does not use authentication and can accept requests from anyone on the Internet. Though the server is controlled by the attacker, who can send requests to a particular port of this hidden HTTP server to execute malicious commands.

Malicious Functionalities of Wormhole

Currently, the researchers have identified that the SDK is using the port 6259 or 40310 to perform malicious activities on affected Android devices, which includes:

  • Send SMS messages
  • Make phone calls
  • Get mobile phone details
  • Add new contacts
  • Get a list of local apps
  • Download files on the device
  • Upload files from the device
  • Silently install other apps (if the phone is rooted)
  • Push Web pages
  • Get phone’s geo-location, and many more

Since the SDK automatically installs the Web server when a Moplus SDK app is opened, hackers just need to scan a mobile network for port 6259 or 40310, thereby finding vulnerable devices they can abuse.
** ** Also Read: Android Malware Can Spy On You Even When Your Mobile Is Off

Wormhole is More Dangerous than Stagefright

The vulnerability, according to researchers, is potentially easier to exploit than the Stagefright flaw, asWormhole doesn’t require social engineering to infect an unsuspecting user.

Trend Micro has also found at least one malware strain (detected as ANDROIDOS_WORMHOLE.HRXA) in the wild that takes advantage of Wormhole in Moplus SDK.

Researchers informed both Baidu as well as Google of the vulnerability.

As a result, Baidu has just pushed a partial fix for the problem by releasing a new version of the SDK that removed some of the SDK’s functionality, but not all. The HTTP server remains online and active; however, Baidu assured its users that no backdoor exists now.

Must Read:Stagefright Bug 2.0 — One Billion Android SmartPhones Vulnerable to Hacking

This isn’t the first time a Chinese company has caught distributing malicious SDK. Just a few days ago, the Taomike SDK – one of the biggest mobile ad solutions in China – was caught secretly spying on users’ SMS messages and uploading them to a server in China.

The same malicious functionality was also discovered two weeks back in another SDK developed by Youmi; that affected 256 iOS apps, which were caught using private APIs to collect users private data. However, Apple eventually banned those apps from its App Store.

JSON