Possible Backdoor on Android Devices

Wednesday, November 4, 2015 @ 02:11 PM gHale

Chinese search engine is offering a software development kit that includes functionality that can end up used to install backdoors on users’ devices.

The software development kit (SDK) is Moplus, and according to estimates, it is in 14,112 Android applications, of which 4,014 ended up developed by the Chinese search engine Baidu. Putting all the download figures for these apps together, over 100 million Android users may be in danger, said researchers at Trend Micro.

Fun to Serious: 11 Zero Days in Mobile Device
Android Media Processing Holes Patched
LTE 4G Threats Plague Android Users
Advanced Attack Hits Android Devices

Moplus SDK automatically launches an HTTP server on the user’s smartphone, which can work silently, in the phone’s background, without the user ever noticing it, Trend Micro researchers said in a blog post.

This server can end up controlled by attackers, who can send it HTTP requests on a particular port, telling it to execute malicious commands. Right now, Trend Micro has detected the SDK using the port 6259 or 40310.

These are some of the tasks Moplus SDK can do:
• Get phone details
• Send SMS messages
• Make phone calls
• Add new contacts
• Download files on the device
• Upload files from the device
• Get a list of local apps
• Silently install other apps
• Push Web pages
• Get phone’s geolocation

Since the SDK automatically deploys the Web server when an app that includes the Moplus SDK starts, attackers only need to scan a mobile network for the two ports and find vulnerable devices they can take advantage of.

Trend Micro observed the SDK used by at least one malware strain (ANDROIDOS_WORMHOLE.HRXA).

Baidu is aware of the issue and removed some of the SDK’s functionality, but not all. In their most recent update, Baidu eliminated the SDK’s ability to download or upload files, scan for local apps, add new contacts, or scan downloaded files. All of the other functionality remained intact.