Analecta Cyber Company Blog: Backdoor in Android devices puts 100 million at risk

2015-11-18

Backdoor in Android devices puts 100 million at risk

A Google-like search engine in China called Baidu may have put more than 100 million Android users in danger. That’s because of the software development kit (SDK) called Moplus that’s often offered Android users.



According to reports, the SDK contains a function could be abused and open backdoor-like access to a user's device, making it possible for malicious hackers to penetrate affected devices without the owner’s knowledge.

Moplus may not be openly accessible to the public but it was believed that it already made its way into more than 14,000 Android apps, potentially exposing around 100 million Android users who downloaded the kit on their smartphones. Of these, around 4,000 apps are actually created by Baidu.
Researchers at the firm Trend Micro discovered the vulnerability found in the Moplus SDK, which is called Wormhole.

Wormhole allows hackers to launch an unsecured and unauthenticated HTTP server connection to the affected smartphones. Through this server, the attacker can send requests to execute malicious commands compromising the device.

Based on the findings of Trend Micro researchers, some of the malicious activities that an attacker can launch on Android devices affected by Wormhole include sending SMS messages, making phone calls, getting mobile phone details, downloading and uploading files, silently installing other apps and revealing the phone's geo-location.

These types of attacks coming without the device owner’s knowledge are things that users should not take for granted.

The researchers also found at least one malware strain (detected as ANDROIDOS_WORMHOLE.HRXA) in the wild that takes advantage of Wormhole in Moplus SDK. Currently, they have informed both Baidu and Google of the vulnerability. This resulted in Baidu releasing a partial fix for the problem through a new version of the SDK that removed some of the SDK's functionality. The HTTP server remains active, but the company guaranteed that no backdoor exists for now.