Bob
19th November 2016, 18:47
A type of "backdoor" opening, for a root-kit, designed to have the smartphone "phone home" to China (again).. was found by BitSight security researchers this week, shortly after KryptoWire found the Adups spyware..
The spyware was designed apparently by a Chinese company called the RagenTek Group. It is designed to "hide" from normal system security checks.
There has been a security risk warning posted as follows:
Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks.
Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit.
The phones made by these companies have been found (so far) to have the Ragentek spyware:
BLU Studio G
BLU Studio G Plus
BLU Studio 6.0 HD
BLU Studio X
BLU Studio X Plus
BLU Studio C HD
Infinix Hot X507
Infinix Hot 2 X510
Infinix Zero X506
Infinix Zero 2 X509
DOOGEE Voyager 2 DG310
LEAGOO Lead 5
LEAGOO Lead 6
LEAGOO Lead 3i
LEAGOO Lead 2S
LEAGOO Alfa 6
IKU Colorful K45i
Beeline Pro 2
XOLO Cube 5.0
(above list posted by CERT - https://www.kb.cert.org/vuls/id/624539)
The US Market appears to have been the target -
Based on the IP addresses of the connecting devices, vulnerable phones have gone to the server's addresses from locations all over the world, however, the US is the No. 1 affected country.
"The thing that scares us is a lot of these users will be unaware of the vulnerability, and they will never get an update," BitSight CTO Stephen Boyer told Ars. "This is full system compromise. This is at the root level. [Attackers with a MitM position] can do anything."
(Mitm = Man in the Middle [attack] - we've discussed this as a way that NSA for instance is able to intercept ToRR users, and plant payloads in the user's computers after they are tricked to go to a page that was substituted by the Agency server).
As soon as this spyware was noted, BitSight and its subsidiary company Anubis Networks took possession of the two preconfigured domains which the RagenTek spyware 'hardcoded' into the firmware. 210.51.45.89/11 ota.ragentek.com ota1.ragentek.com (Shanghai - Shanghai - Shanghai Chenyi Network Technology Co. Ltd., Shanghai Caohejing IDC of China Netcom)
As they monitored what was going on, about 2.8 million affected phones attempted to login to have installed additional rootkit level applications.
In a blog post published Thursday, BitSight researchers said they went to a Best Buy store and purchased a BLU Studio G phone and were able to perform an attack that exploited the backdoor.
As a result, they were able to install a file they named system_rw_test in /data/system/, a file location that's reserved for apps with all-powerful system privileges.
" Joćo Gouveia, another BitSight researcher who helped uncover the rootkit, said in a tweet that he and his colleagues are "seeing lots of connections coming from all sorts of sectors, including healthcare, government and banking."
"Given the large number of connecting devices with unknown manufacturers, the list of affected devices is sure to grow in the coming weeks."
Folks who can check who there phone is connecting to (without their permission) can monitor for these sites attempted to be accessed:
oyag[.]lhzbdvm[.]com
oyag[.]prugskh[.]net
oyag[.]prugskh[.]com
According to both BitSight and the CERT advisory, only BLU Products has released an update that addresses the vulnerability.
It's not clear if it will be installed automatically or if users must manually apply it, and BitSight researchers have not yet tested the patch to evaluate its effectiveness.
BLU Products representatives didn't respond to a message seeking comment for this post.
Affected or potentially affected users who don't have an update can also protect themselves by connecting only to networks they trust or by using VPN software when connecting to hotspots and other unsecured Wi-Fi networks.
links for more information:
http://blog.anubisnetworks.com/blog/ragentek-android-ota-update-mechanism-vulnerable-to-mitm-attack
http://arstechnica.com/security/2016/11/powerful-backdoorrootkit-found-preinstalled-on-3-million-android-phones/
The spyware was designed apparently by a Chinese company called the RagenTek Group. It is designed to "hide" from normal system security checks.
There has been a security risk warning posted as follows:
Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks.
Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit.
The phones made by these companies have been found (so far) to have the Ragentek spyware:
BLU Studio G
BLU Studio G Plus
BLU Studio 6.0 HD
BLU Studio X
BLU Studio X Plus
BLU Studio C HD
Infinix Hot X507
Infinix Hot 2 X510
Infinix Zero X506
Infinix Zero 2 X509
DOOGEE Voyager 2 DG310
LEAGOO Lead 5
LEAGOO Lead 6
LEAGOO Lead 3i
LEAGOO Lead 2S
LEAGOO Alfa 6
IKU Colorful K45i
Beeline Pro 2
XOLO Cube 5.0
(above list posted by CERT - https://www.kb.cert.org/vuls/id/624539)
The US Market appears to have been the target -
Based on the IP addresses of the connecting devices, vulnerable phones have gone to the server's addresses from locations all over the world, however, the US is the No. 1 affected country.
"The thing that scares us is a lot of these users will be unaware of the vulnerability, and they will never get an update," BitSight CTO Stephen Boyer told Ars. "This is full system compromise. This is at the root level. [Attackers with a MitM position] can do anything."
(Mitm = Man in the Middle [attack] - we've discussed this as a way that NSA for instance is able to intercept ToRR users, and plant payloads in the user's computers after they are tricked to go to a page that was substituted by the Agency server).
As soon as this spyware was noted, BitSight and its subsidiary company Anubis Networks took possession of the two preconfigured domains which the RagenTek spyware 'hardcoded' into the firmware. 210.51.45.89/11 ota.ragentek.com ota1.ragentek.com (Shanghai - Shanghai - Shanghai Chenyi Network Technology Co. Ltd., Shanghai Caohejing IDC of China Netcom)
As they monitored what was going on, about 2.8 million affected phones attempted to login to have installed additional rootkit level applications.
In a blog post published Thursday, BitSight researchers said they went to a Best Buy store and purchased a BLU Studio G phone and were able to perform an attack that exploited the backdoor.
As a result, they were able to install a file they named system_rw_test in /data/system/, a file location that's reserved for apps with all-powerful system privileges.
" Joćo Gouveia, another BitSight researcher who helped uncover the rootkit, said in a tweet that he and his colleagues are "seeing lots of connections coming from all sorts of sectors, including healthcare, government and banking."
"Given the large number of connecting devices with unknown manufacturers, the list of affected devices is sure to grow in the coming weeks."
Folks who can check who there phone is connecting to (without their permission) can monitor for these sites attempted to be accessed:
oyag[.]lhzbdvm[.]com
oyag[.]prugskh[.]net
oyag[.]prugskh[.]com
According to both BitSight and the CERT advisory, only BLU Products has released an update that addresses the vulnerability.
It's not clear if it will be installed automatically or if users must manually apply it, and BitSight researchers have not yet tested the patch to evaluate its effectiveness.
BLU Products representatives didn't respond to a message seeking comment for this post.
Affected or potentially affected users who don't have an update can also protect themselves by connecting only to networks they trust or by using VPN software when connecting to hotspots and other unsecured Wi-Fi networks.
links for more information:
http://blog.anubisnetworks.com/blog/ragentek-android-ota-update-mechanism-vulnerable-to-mitm-attack
http://arstechnica.com/security/2016/11/powerful-backdoorrootkit-found-preinstalled-on-3-million-android-phones/