3 Million Android Devices Vulnerable Due to a Dangerous Pre-Installed Rootkit


Nearly three million Android devices are vulnerable to a man-in-the-middle (MiTM) attack, researchers have discovered, leaving these devices vulnerable to attackers who can remotely take full control of these devices.

Researchers from security rating firm BitSight have revealed that a vulnerability in the implementation of over-the-air (OTA) updates in millions of low-cost Android devices such as BLU Studio G from Best Buy has rendered these phones vulnerable to MiTM attacks.

Fundamentally, the vulnerability allows attackers to execute arbitrary code with root privileges, leveraging their access to full control and a complete compromise of the device.

The OTA mechanism, developed by Chinese mobile firm Ragentek Group, includes a hidden binary that runs with root privileges, thereby communicating over encrypted channels with multiple hosts.

Beyond exposing user-specific information to MiTM attackers, this privileged binary also doubles as a rootkit, enabling attackers to execute arbitrary commands remotely.

Following testing, the researchers wrote:

We have observed over 2.8 million distinct devices, across roughly 55 reported device models, which have checked into our sinkholes since we registered the extraneous domains. In some cases, we have not been to translate the provided device model into a reference to the real world device. 

More alarmingly, the OTA binary was discovered to contain a set of domains preconfigured in the software. The researchers determined that only one of these domains were registered at the time of the discovery of the vulnerability. If a malicious attacker had registered the other two domains, they would be instantly able to perform arbitrary attacks on 3 million devices, without even needing to perform a MiTM attack.

Vendors affected by the vulnerability include BLU Products, Infinix Mobility and Ragentek, while other low cost manufacturers such as Beeline and XOLO could also be affected.

A list of some of the devices that are vulnerable, as reported by the Hacker News, are as follows:

  • BLU Studio G
  • BLU Studio G Plus
  • BLU Studio 6.0 HD
  • BLU Studio X
  • BLU Studio X Plus
  • BLU Studio C HD
  • Infinix Hot X507
  • Infinix Hot 2 X510
  • Infinix Zero X506
  • Infinix Zero 2 X509
  • DOOGEE Voyager 2 DG310
  • LEAGOO Lead 5
  • LEAGOO Lead 6
  • LEAGOO Lead 3i
  • LEAGOO Lead 2S
  • LEAGOO Alfa 6
  • IKU Colorful K45i
  • Beeline Pro 2
  • XOLO Cube 5.0

As things stand, only BLU has deployed a software update to patch the vulnerability. Other manufacturers are expected to follow.

 Image credit: Pixabay.