The China’s Google-like Search Engine Baidu is offering a
software development kit (SDK) that contains functionality that can be
abused to give backdoor-like access to a user’s device, potentially
exposing around 100 Million Android users to malicious hackers.
The SDK in question is Moplus, which may not be directly
available to the public but has already made its way into more than
14,000 Android apps, of which around 4,000 are actually created by
Baidu.
Overall, more than 100 Million Android users, who have downloaded these apps on their smartphones, are in danger.
Security researchers from Trend Micro have discovered a vulnerability in the Moplus SDK, calledWormhole,
that allows attackers to launch an unsecured and unauthenticated HTTP
server connection on affected devices, which works silently in the
background, without the user’s knowledge.
Also Read: More than 26 Android Phone Models Shipped with Pre-Installed Spyware
This unsecured server does not use authentication and can accept
requests from anyone on the Internet. Though the server is controlled by
the attacker, who can send requests to a particular port of this hidden
HTTP server to execute malicious commands.
Malicious Functionalities of Wormhole
Currently, the researchers have identified that the SDK is using the port 6259 or 40310 to perform malicious activities on affected Android devices, which includes:
- Send SMS messages
- Make phone calls
- Get mobile phone details
- Add new contacts
- Get a list of local apps
- Download files on the device
- Upload files from the device
- Silently install other apps (if the phone is rooted)
- Push Web pages
- Get phone’s geo-location, and many more
Since the SDK automatically installs the Web server when a Moplus
SDK app is opened, hackers just need to scan a mobile network for port
6259 or 40310, thereby finding vulnerable devices they can abuse.
Wormhole is More Dangerous than Stagefright
The vulnerability, according to researchers, is potentially easier to exploit than the Stagefright flaw, as Wormhole doesn’t require social engineering to infect an unsuspecting user.
Trend Micro has also found at least one malware strain (detected as ANDROIDOS_WORMHOLE.HRXA) in the wild that takes advantage of Wormhole in Moplus SDK.
Researchers informed both Baidu as well as Google of the vulnerability.
As a result, Baidu has just pushed a partial fix for the problem by
releasing a new version of the SDK that removed some of the SDK’s
functionality, but not all. The HTTP server remains online and active;
however, Baidu assured its users that no backdoor exists now.
This isn’t the first time a Chinese company has caught distributing malicious SDK. Just a few days ago, the Taomike SDK
– one of the biggest mobile ad solutions in China – was caught secretly
spying on users’ SMS messages and uploading them to a server in China.
The same malicious functionality was also discovered two weeks back in another SDK developed by Youmi;
that affected 256 iOS apps, which were caught using private APIs to
collect users private data. However, Apple eventually banned those apps
from its App Store
0 comments:
Post a Comment