Researchers find rootkit-like software on 2.8 million Android devices
Researchers at the security firm AnubisNetworks have found software from the Chinese company Ragentek on at least 2.8 million Android devices that could allow attackers to execute arbitrary code remotely. This mainly concerns devices from BLU.
The researchers write that this is due to an insecure implementation of an ota mechanism, which means that the update process takes place over an insecure internet connection. The vulnerable devices also try to connect to three different domains, of which only one domain is registered. By registering the other two domains themselves, the researchers gained insight into the number of affected devices. They write that any malicious party could have done the same and thus have full access to the devices. Because the update process is insecure, the devices are still vulnerable to man-in-the-middle attacks.
In the blog post, the security company identifies a total of 55 different affected devices. Of these, 26.3 percent are from the manufacturer BLU. Other affected brands include Infinix, Doogee, Leagoo and Xolo. A list with more details about the affected devices is available. The researchers told Ars Technica that most users of these devices are from the United States. They determined this on the basis of the traffic to the registered domains. The devices would be in use all over the world.
They add that Ragentek’s software “goes to great lengths” to hide itself and that the software has been modified to make it appear as if it doesn’t exist. However, they do not assume that it is a deliberately developed rootkit, but a legitimate update process. They have not been able to contact Ragentek or other manufacturers. Manufacturer BLU is the only one that wants to come up with a patch so far, according to information on cert.org.
The researchers emphasize that their findings are separate from a similar discovery, reported in the New York Times this week. The security company Kryptowire had determined that devices from manufacturer BLU contain software from the Chinese company Adups Technology. It sent sensitive data, including contacts, text messages, and conversation history, to third-party servers. The Chinese company later released a statement saying that the data was collected to send appropriate updates to the devices and to prevent spam.