Android Devices Suffer from OTA Hole

Tuesday, November 22, 2016 @ 04:11 PM gHale

An insecure implementation of the Over-the-air (OTA) update mechanism used by Android phone models exposes nearly 3 million phones to Man-in-the-Middle (MitM) attacks.

Ragentek Group, a Chinese software company, didn’t use an encrypted channel for transactions from the binary to the third-party endpoint.

Google Patches Android Holes
Rowhammer Can Root into Android
Dirty COW Works on Android
Android RAT Builder Released

This vulnerability not only exposes user-specific information to attackers, but also creates a rootkit, allowing a bad guy to issue commands that could end up executed on affected systems, said researchers at AnubisNetworks.

The code from Ragentek contains a privileged binary for OTA update checks as well as multiple techniques to hide its execution. Located at /system/bin/debugs, the binary runs with root privileges and communicates over unencrypted channels with three hosts. Responses from the remote server include functionalities to execute arbitrary commands as root, install apps, or update configurations.

In this case, the vulnerability (CVE-2016-6564) is a remote, unauthenticated attacker capable of performing a MitM attack which could replace server responses with their own and execute arbitrary commands as root on the affected devices.

The issue in Ragentek’s Android OTA update mechanism is included out of the box.

The CERT advisory associated with this vulnerability reveals multiple smartphones from BLU Products suffer from the issue, along with over a dozen devices from other vendors, namely Infinix Mobility, DOOGEE, LEAGOO, IKU Mobile, Beeline, and XOLO.

BLU said they already issued a software update to resolve the issue, but the remaining devices might still be affected.

While analyzing the bug, AnubisNetworks found the unencrypted data transmission starts soon after starting the first-use setup process, and the inspected device, a BLU Studio G, attempted to contact three pre-configured domains, researchers said.

Two of the domains remained unregistered and the researchers acquired them, which provided them with visibility into the population of affected devices.

This also provided security researchers with the ability to check the type of commands supported in the vulnerable setup. One of the interesting findings was a check ended up created to mask the fact “/system/bin/debugsrun” and “/system/bin/debugs” were running. Their presence would end up hidden or skipped in the user output, the researchers said.

Deeper analysis revealed the Java framework too has been modified to hide references to this process.

Overall, over 2.8 million distinct devices, across around 55 reported device models, ended up connecting to the researchers’ sinkholes.

Leave a Reply

You must be logged in to post a comment.