API Security Testing for Dummies [Free eBook]
The SDK in question is Moplus, which may not be directly available to the public but has already made its way into more than 14,000 Android apps, of which around 4,000 are actually created by Baidu.
Overall, more than 100 Million Android users, who have downloaded these apps on their smartphones, are in danger.
Security researchers from Trend Micro have discovered a vulnerability in the Moplus SDK, called Wormhole, that allows attackers to launch an unsecured and unauthenticated HTTP server connection on affected devices, which works silently in the background, without the user's knowledge.
Also Read: More than 26 Android Phone Models Shipped with Pre-Installed Spyware
Also Read: More than 26 Android Phone Models Shipped with Pre-Installed Spyware
This unsecured server does not use authentication and can accept requests from anyone on the Internet. Though the server is controlled by the attacker, who can send requests to a particular port of this hidden HTTP server to execute malicious commands.
Malicious Functionalities of Wormhole
Currently, the researchers have identified that the SDK is using the port 6259 or 40310 to perform malicious activities on affected Android devices, which includes:
- Send SMS messages
- Make phone calls
- Get mobile phone details
- Add new contacts
- Get a list of local apps
- Download files on the device
- Upload files from the device
- Silently install other apps (if the phone is rooted)
- Push Web pages
- Get phone's geo-location, and many more
Since the SDK automatically installs the Web server when a Moplus SDK app is opened, hackers just need to scan a mobile network for port 6259 or 40310, thereby finding vulnerable devices they can abuse.
Also Read: Android Malware Can Spy On You Even When Your Mobile Is Off
Also Read: Android Malware Can Spy On You Even When Your Mobile Is Off
Wormhole is More Dangerous than Stagefright
The vulnerability, according to researchers, is potentially easier to exploit than the Stagefright flaw, as Wormhole doesn't require social engineering to infect an unsuspecting user.
Trend Micro has also found at least one malware strain (detected as ANDROIDOS_WORMHOLE.HRXA) in the wild that takes advantage of Wormhole in Moplus SDK.
Researchers informed both Baidu as well as Google of the vulnerability.
As a result, Baidu has just pushed a partial fix for the problem by releasing a new version of the SDK that removed some of the SDK's functionality, but not all. The HTTP server remains online and active; however, Baidu assured its users that no backdoor exists now.
Must Read: Stagefright Bug 2.0 — One Billion Android SmartPhones Vulnerable to Hacking
Must Read: Stagefright Bug 2.0 — One Billion Android SmartPhones Vulnerable to Hacking
This isn't the first time a Chinese company has caught distributing malicious SDK. Just a few days ago, the Taomike SDK – one of the biggest mobile ad solutions in China – was caught secretly spying on users' SMS messages and uploading them to a server in China.
The same malicious functionality was also discovered two weeks back in another SDK developed by Youmi; that affected 256 iOS apps, which were caught using private APIs to collect users private data. However, Apple eventually banned those apps from its App Store.
➤ Read Latest Stories
Check Out These Free Cybersecurity Resources
Securely Integrate Open Source Into Your Software Supply Chain
Earn a Master's in Cybersecurity Risk Management
Exclusive Cybersecurity Deals
🔥 Learn Professional Hacking
10 courses + 1,236 lessons on latest techniques, forensics, malware analysis, network security and programming.
➤ Access Online Training Courses
🔥 Cybersecurity Certification Training
Get 1-year access to 108 hours of instruction on globally-recognized CISA, CISM, CISSP, PMI-RMP, and COBIT 5 certifications.
➤ Access Online Training Courses
📰 News Stories from 03 Nov, 2015