Millions Of Android Devices Found Preinstalled With Potentially Malicious Firmware

Two serious security breaches found in various Android devices were discovered over the course of last week.

Updated Jul 16, 2017Security

The first, found by Kryptowire[1] gives the attacker the ability to get a hold of personally identifying information (PII) belongs to the attacked device owner, including text messages, contact lists and call history.

The second, is even more serious by virtue of the abilities it grants the attacker, for it allows the attacker to issue commands as root (administrative) user which enables him to do virtually anything he likes with the device software. The second security breach was found by AnubisNetworks[2].

Despite being different in nature and source, both the malicious firmware shared a common ground expressed via certain patterns that may be used by Android owners to make a more informed purchase the next time they buy a new device with Android preinstalled.

A Similar Pattern

According to both researches, the potentially malicious firmware both originated from the same country – China.

The one being responsible for sending PII was attributed to a company named Shanghai Adups Technology Co. Ltd – which was identified as the maker of the firmware and the receiver of the PII. The second firmware was associated to the software company, Ragentek Group, also based in China.

Besides sharing similar country of origin, as mentioned earlier, both firmware were preinstalled on the devices they were found on – an important fact to note, since many antivirus programs out there usually assumes that software that came with the device aren’t malicious, thus they pass undetected by those.

Another important resemblance between the two is that both use OTA (Over The Air) mechanism in order to actualize the threat they carry, that is, they exploit the vulnerability devices are exposed to upon permitting OTA updates to take place.

Lastly, another similarity to note is that both potentially malicious firmware were found on devices mostly targeting the low-end market. In both cases the company named BLU was mentioned as one with the infected devices.

Distribution of Observed Devices by Manufacturer

Distribution of Observed Devices by Manufacturer

Are You Affected? What Can You Do?

In both cases, the companies who have found the security breaches recommends consumers that believe their devices may be affected to refer to the manufacturer warranty or retailer terms of purchase for more information.

Nevertheless, if you’re more tech-inclined and wish to conduct your own investigation regarding whether you’ve been affected, here are a couple of things you can try:

1. Regarding the potentially malicious code that transmits users PII – Kryptowire has identified 2 system packages that were essential to its functioning:

  • com.adups.fota.sysoper
  • com.adups.fota

2. As for the other potentially malicious firmware, the one which enables an attacker to execute commands on affected devices – AnubisNetworks was able to associate it with the following specific binaries named:

  • debugs
  • debugsbak
  • debugsrun

So, you might want to start by searching for those.

Furthermore, as for the second case AnubisNetworks also suggests the following method:

“To manually verify, you can monitor for outbound connections from your phone to the hostnames described earlier in the article. If the transactions occur over HTTP instead of HTTPS, then the device would be affected by this issue.”

The hostnames are:

  • oyag[.]prugskh[.]com – seized by AnubisNetworks
  • oyag[.]prugskh[.]net – seized by AnubisNetworks
  • oyag[.]lhzbdvm[.]com – owned by Ragentek

Affected or potentially affected users of the second security breach can also protect themselves by connecting only to networks they trust or by using a VPN software when connecting to hotspots or unsecured Wi-Fi networks.