A vulnerability known as Wormhole that reportedly affected the software development kit (SDK), Moplus by Baidu is making waves due to the severity of the impact once successfully exploited. The said vulnerability was discovered by WooYun.og, a vulnerability reporting platform in China.

However, as our investigation on this security bug unfolded, we found out that the Moplus SDK has backdoor functionalities that are not necessarily due or related to a vulnerability. Currently, people perceived that the issue lies in access permission control of Moplus SDK and how it should limit this access. Hence, the notion that it is vulnerability-related when in actual this SDK has backdoor routines such as pushing phishing pages, inserting arbitrary contacts, sending fake SMS, uploading local files to remote servers, and installing any applications to the Android devices without user’s authorization. The only requirement is for the device to be connected to the Internet first before any of these routines execute. Moplus SDK has been integrated to numerous Android apps, which affected 100 million Android device users. Our findings also revealed that a malware is already leveraging Moplus SDK in the wild.

In this blog entry, we shed light on the Moplus SDK’s malicious codes and the risks these pose to Android devices.

Figure 1. A malware uses the Moplus SDK to silently install itself on the device.

Digging through the Moplus SDK

Moplus SDK is created by Baidu, a search engine giant in China. For our investigation, we examined two different apps, Baidu Map (com.baidu.BaiduMap, 8.7.0) and “奇闻异录”( com.ufo.dcb.lingyi, 1.3). The SDK versions are different, but most codes are same

Figure 2. Moplus SDK included in com.ufo.dcb.lingyi

Figure 3. Moplus SDK included in com.baidu.BaiduMap

How is it integrated to apps?

From the application manifest file, the Moplus SDK is included in an independent process. The main service called com.baidu.android.moplus.MoPlusService, can be triggered by different broadcast receivers, including the device on boot event.

Figure 4. Moplus is integrated into an independent background. In effect, the malicious process will auto-start at every device boot up.

How does Moplus SDK function as backdoor?

When a user launches an application, Moplus SDK automatically sets up a local http server on the device in the background. It keeps monitoring the messages that go through the socket. To accomplish this, it integrates and modifies NanoHttpd, a simple open source HTTP server written in Java, into its code.

Figure 5. Moplus SDK integrates and modifies NanoHttpd into its code.

The TCP port bind to this HTTP server is not always same. In our case, we found it is port 6259 binded in com.ufo.dcb.lingyi while it’s port 40310 for com.baidu.BaiduMap.

Figure 6. TCP port binded to local HTTP server is not always same.

The HTTP server will keep listening to the TCP port. It will receive and parse messages sent from remote clients. Once there is new HTTP request, it will get and parse the message header and body, and start calling its own tasks by overriding the “server” function as specified in NanoHttpd documents.

Figure 7. Monitor HTTP requests from socket connection

Figure 8. Override “server” function to call its own malicious tasks

This is a typical command & control(C&C) attack model. Compare with traditional C&C attack, the only difference is in this case, the server is at the user side, but attack client can be anywhere. There are lots of malicious functionalities like downloading and uploading of files etc. involved in the SDK, each serve as a single class file.

Figure 9. Malicious functionalities supported by Moplus SDK

Figure 10. Map between malicious commands and their corresponding source classes

Based on the above screenshots, an attacker can remotely get locations, searchbox infos, package information and other sensitive data from user devices. It can remotely add contacts, scan download files and upload specific files on user devices. All of these can be simply done by sending an HTTP request from anywhere.

Figure 11. A case of batch inserts arbitrary contacts

A special command, “sendintent,” can be used to send local intent on devices. As such, this can remotely make phone calls, send bogus messages, and install arbitrary apps without the user’s consent.

Figure 12. A command dubbed as “sendintent” can be used by an attacker to do malicious controls on the user device.

The SDK also supports silent APK installation and differentiate rooted devices.

Figure 13. Support installing application silently

Figure 14. Differentiate root users to do more aggressive attacks

These details clearly solidify our findings that it is a backdoor malware. An attack can be done to any devices already infected by Moplus SDK. We have a short demo on Nexus 6 with Android 6.0 up to date (see figures 16-18). When the Baidu Map is launched, one can find that the malicious service (bdservice_v1) is always running in the background.

Figure 15. Malicious service, bdservice_v1 is always running in the background.

Figures 16-18. In this series of images, we depicted how another contact is added to the mobile device.

Since there is no identity authentication in the local HTTP server (which is set up by Moplus SDK), an attack can be triggered not only by an App developer but by anyone. With just one command, an attacker or cybercriminal can remotely control the infected device. In addition, they only need to scan the full network segment with NMAP to test TCP port 6259 or 40310 status. All Android devices marked with port status, OPEN can possibly be remotely controlled. Note that all devices under the same LAN as well as under the same 3G/4G networks can be attacked.

This is a critical issue, perhaps even worse than Stagefright vulnerability that requires phishing links to web pages or user phone number, which are then used to send malicious MMS. With this security issue, attackers just simply scan the network IP and require no action from the user’s end or any social engineering attacks.

Other findings and countermeasures

We have detected a malware (ANDROIDOS_WORMHOLE.HRXA) in the wild that uses Moplus SDK to automatically and periodically deploy unwanted applications. When it comes to user devices, the applications will be installed silently if it is rooted.

Sha1: 2FA40A5302D92FB0C5C64CF6197F2D671BA7C30D.

What are the apps that integrated Moplus SDK?

Moplus SDK is not an open SDK which can be only possibly used by Baidu. Based on our data, some of the 14,112 apps that integrated this SDK have different versions or different SHA1s. There are 4,014 on Baidu official apps among them. As some of these used earlier versions, it is very likely that users don’t maintain the latest version of apps for their usage. The top 20 hit applications are list below:

com.qiyi.video

com.baidu.video

com.baidu.BaiduMap

com.baidu.browser.apps

com.baidu.appsearch

com.nd.android.pandahome2

com.hiapk.marketpho

com.baidu.hao123

com.baidu.searchbox

tv.pps.mobile

com.mfw.roadbook

com.tuniu.app.ui

com.ifeng.newvideo

com.baidu.netdisk

com.quanleimu.activity

com.dragon.android.pandaspace

com.yuedong.sport

com.dongqiudi.news

air.fyzb3

com.managershare

In the latest update from Baidu, they already removed the malicious codes in the Moplus SDK and fixed the issue in its latest products. Upon checking the latest code of Baidu Map, we found out based on our static code analyis using the version 8.7.0 that they may still keep the NanoHttpd server open in user devices with the binded port still at 40310. Throughout our further analysis with Baidu, however, the code doesn’t work on the devices with the latest version, 8.7.5 released October 30.

Figure 19. Based on the static code analysis, Local HTTP server is kept in the latest Moplus update with same TCP port hardcoded.

They removed some malicious commands and their corresponding codes. They also remove the malicious part of installing applications silently and automatically for rooted devices. As seen in figure 21, not all malicious functionalities have been deleted by Moplus SDK, making devices still at risk.

Figure 20. Part of malicious commands remain in the latest Moplus SDK.

Figure 21. Only malicious functionalities in red part have been removed in the latest Moplus SDK.

How does Trend Micro protect users?

Trend Micro protects users via its Trend Micro Mobile Security that detects the malicious SDK (ANDROIDOS_WORMHOLE.HRXA) before it can be installed on the device. Its app virus scanner feature can scan installed apps to filter out the malicious apps. Our unlimited updates and cloud scanner technologies ensure continuous protection from any mobile malware.

We also recommend users to uninstall those infected applications unless there is an upgrade that confirms that the malicious behavior of the SDK has been totally removed. We’re currently monitoring this for any updates.

We already informed Google and Baidu regarding this security issue.

With additional data from threat analyst Jordan Pan.

Update as of November 4, 2015, 2:35 A.M. PDT (UTC-7):

Baidu replied to Trend Micro that they have addressed the vulnerability since October 30, 2015. They have also submitted updated Baidu apps to Google Play, some of which have already been approved while others are still pending approval. Baidu will remove the problematic “dead code” in the next version releases of the affected apps. The images have also been updated.

Updated on November 4, 2015 8:42 P.M. PDT (UTC-7) to add more details on apps integrated Moplus SDK and the affected version throughout our further analysis with Baidu.