+ Reply to Thread
Results 1 to 3 of 3

Thread: Another spyware in Android found 2 days later ..

  1. Link to Post #1
    Unsubscribed
    Join Date
    23rd June 2013
    Location
    North America
    Age
    72
    Posts
    6,884
    Thanks
    12,723
    Thanked 29,293 times in 6,140 posts

    Exclamation Another spyware in Android found 2 days later ..

    A type of "backdoor" opening, for a root-kit, designed to have the smartphone "phone home" to China (again).. was found by BitSight security researchers this week, shortly after KryptoWire found the Adups spyware..

    The spyware was designed apparently by a Chinese company called the RagenTek Group. It is designed to "hide" from normal system security checks.

    There has been a security risk warning posted as follows:

    Quote Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks.

    Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit.
    The phones made by these companies have been found (so far) to have the Ragentek spyware:
    • BLU Studio G
    • BLU Studio G Plus
    • BLU Studio 6.0 HD
    • BLU Studio X
    • BLU Studio X Plus
    • BLU Studio C HD
    • Infinix Hot X507
    • Infinix Hot 2 X510
    • Infinix Zero X506
    • Infinix Zero 2 X509
    • DOOGEE Voyager 2 DG310
    • LEAGOO Lead 5
    • LEAGOO Lead 6
    • LEAGOO Lead 3i
    • LEAGOO Lead 2S
    • LEAGOO Alfa 6
    • IKU Colorful K45i
    • Beeline Pro 2
    • XOLO Cube 5.0

    (above list posted by CERT - https://www.kb.cert.org/vuls/id/624539)

    The US Market appears to have been the target -

    Quote Based on the IP addresses of the connecting devices, vulnerable phones have gone to the server's addresses from locations all over the world, however, the US is the No. 1 affected country.

    "The thing that scares us is a lot of these users will be unaware of the vulnerability, and they will never get an update," BitSight CTO Stephen Boyer told Ars. "This is full system compromise. This is at the root level. [Attackers with a MitM position] can do anything."
    (Mitm = Man in the Middle [attack] - we've discussed this as a way that NSA for instance is able to intercept ToRR users, and plant payloads in the user's computers after they are tricked to go to a page that was substituted by the Agency server).

    As soon as this spyware was noted, BitSight and its subsidiary company Anubis Networks took possession of the two preconfigured domains which the RagenTek spyware 'hardcoded' into the firmware. 210.51.45.89/11 ota.ragentek.com ota1.ragentek.com (Shanghai - Shanghai - Shanghai Chenyi Network Technology Co. Ltd., Shanghai Caohejing IDC of China Netcom)

    As they monitored what was going on, about 2.8 million affected phones attempted to login to have installed additional rootkit level applications.

    Quote In a blog post published Thursday, BitSight researchers said they went to a Best Buy store and purchased a BLU Studio G phone and were able to perform an attack that exploited the backdoor.

    As a result, they were able to install a file they named system_rw_test in /data/system/, a file location that's reserved for apps with all-powerful system privileges.
    " Joćo Gouveia, another BitSight researcher who helped uncover the rootkit, said in a tweet that he and his colleagues are "seeing lots of connections coming from all sorts of sectors, including healthcare, government and banking."

    "Given the large number of connecting devices with unknown manufacturers, the list of affected devices is sure to grow in the coming weeks."

    Folks who can check who there phone is connecting to (without their permission) can monitor for these sites attempted to be accessed:
    • oyag[.]lhzbdvm[.]com
    • oyag[.]prugskh[.]net
    • oyag[.]prugskh[.]com

    Quote According to both BitSight and the CERT advisory, only BLU Products has released an update that addresses the vulnerability.

    It's not clear if it will be installed automatically or if users must manually apply it, and BitSight researchers have not yet tested the patch to evaluate its effectiveness.

    BLU Products representatives didn't respond to a message seeking comment for this post.

    Affected or potentially affected users who don't have an update can also protect themselves by connecting only to networks they trust or by using VPN software when connecting to hotspots and other unsecured Wi-Fi networks.
    links for more information:
    http://blog.anubisnetworks.com/blog/...to-mitm-attack

    http://arstechnica.com/security/2016...ndroid-phones/
    Last edited by Bob; 19th November 2016 at 19:07.

  2. Link to Post #2
    United States On Sabbatical
    Join Date
    30th June 2011
    Location
    The Seat of Corruption
    Age
    44
    Posts
    9,177
    Thanks
    25,610
    Thanked 53,658 times in 8,694 posts

    Default Re: Another spyware in Android found 2 days later ..

    A compromised phone is about one of the worst compromises (since in reality it's a super dense sensor package & with that amount of data streams it's pretty amazing what you can tell from the meta analysis alone, not to mention direct recordings from video/audio, accelerometers etc etc..), we are getting big into phone forensics and malware analysis in the Cyber security industry, there's entire subsection dedicated just to mobile devices.

    I think a modern, "flag ship" smartphone is one of the coolest pieces of tech we have invented, so versatile. I've used my phones accelerometer to "dyno tune" my car (and some math, to double verify).. and there was only an error margin of 5% or less!

    To have a rootkit on something that powerful, not only that powerful but something people keep with arms reach at all times... now THAT'S big brother (in your pocket)!
    Hard times create strong men, Strong men create good times, Good times create weak men, Weak men create hard times.
    Where are you?

  3. The Following 7 Users Say Thank You to TargeT For This Post:

    bennycog (20th November 2016), Bob (19th November 2016), cursichella1 (20th November 2016), Foxie Loxie (20th November 2016), norman (20th November 2016), raregem (19th November 2016), uzn (20th November 2016)

  4. Link to Post #3
    Unsubscribed
    Join Date
    23rd June 2013
    Location
    North America
    Age
    72
    Posts
    6,884
    Thanks
    12,723
    Thanked 29,293 times in 6,140 posts

    Default Re: Another spyware in Android found 2 days later ..

    Putting a packet tracker on your Android to see where it is 'phoning' home without your permission maybe useful for those more technically inclined..

    https://play.google.com/store/apps/d...lcapture&hl=en

    This app says no root'ing is required, but it is not a super advanced app.

    Checking with your 'powered by Android' SmartPhone's manufacturer should be a must to see if either the AdUps spyware or the RagenTek group's backdoor is present.

    ** if you find that your phone does contain either or both, please leave a post here in this thread with the Manufacturer and Model of the phone and which version Android your phone uses.

+ Reply to Thread

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts