A type of "backdoor" opening, for a root-kit, designed to have the smartphone "phone home" to China (again).. was found by BitSight security researchers this week, shortly after KryptoWire found the Adups spyware..
The spyware was designed apparently by a Chinese company called the RagenTek Group. It is designed to "hide" from normal system security checks.
There has been a security risk warning posted as follows:
The phones made by these companies have been found (so far) to have the Ragentek spyware:Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks.
Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit.
- BLU Studio G
- BLU Studio G Plus
- BLU Studio 6.0 HD
- BLU Studio X
- BLU Studio X Plus
- BLU Studio C HD
- Infinix Hot X507
- Infinix Hot 2 X510
- Infinix Zero X506
- Infinix Zero 2 X509
- DOOGEE Voyager 2 DG310
- LEAGOO Lead 5
- LEAGOO Lead 6
- LEAGOO Lead 3i
- LEAGOO Lead 2S
- LEAGOO Alfa 6
- IKU Colorful K45i
- Beeline Pro 2
- XOLO Cube 5.0
(above list posted by CERT - https://www.kb.cert.org/vuls/id/624539)
The US Market appears to have been the target -
(Mitm = Man in the Middle [attack] - we've discussed this as a way that NSA for instance is able to intercept ToRR users, and plant payloads in the user's computers after they are tricked to go to a page that was substituted by the Agency server).Based on the IP addresses of the connecting devices, vulnerable phones have gone to the server's addresses from locations all over the world, however, the US is the No. 1 affected country.
"The thing that scares us is a lot of these users will be unaware of the vulnerability, and they will never get an update," BitSight CTO Stephen Boyer told Ars. "This is full system compromise. This is at the root level. [Attackers with a MitM position] can do anything."
As soon as this spyware was noted, BitSight and its subsidiary company Anubis Networks took possession of the two preconfigured domains which the RagenTek spyware 'hardcoded' into the firmware. 210.51.45.89/11 ota.ragentek.com ota1.ragentek.com (Shanghai - Shanghai - Shanghai Chenyi Network Technology Co. Ltd., Shanghai Caohejing IDC of China Netcom)
As they monitored what was going on, about 2.8 million affected phones attempted to login to have installed additional rootkit level applications.
" Joćo Gouveia, another BitSight researcher who helped uncover the rootkit, said in a tweet that he and his colleagues are "seeing lots of connections coming from all sorts of sectors, including healthcare, government and banking."In a blog post published Thursday, BitSight researchers said they went to a Best Buy store and purchased a BLU Studio G phone and were able to perform an attack that exploited the backdoor.
As a result, they were able to install a file they named system_rw_test in /data/system/, a file location that's reserved for apps with all-powerful system privileges.
"Given the large number of connecting devices with unknown manufacturers, the list of affected devices is sure to grow in the coming weeks."
Folks who can check who there phone is connecting to (without their permission) can monitor for these sites attempted to be accessed:
- oyag[.]lhzbdvm[.]com
- oyag[.]prugskh[.]net
- oyag[.]prugskh[.]com
links for more information:According to both BitSight and the CERT advisory, only BLU Products has released an update that addresses the vulnerability.
It's not clear if it will be installed automatically or if users must manually apply it, and BitSight researchers have not yet tested the patch to evaluate its effectiveness.
BLU Products representatives didn't respond to a message seeking comment for this post.
Affected or potentially affected users who don't have an update can also protect themselves by connecting only to networks they trust or by using VPN software when connecting to hotspots and other unsecured Wi-Fi networks.
http://blog.anubisnetworks.com/blog/...to-mitm-attack
http://arstechnica.com/security/2016...ndroid-phones/