BLU Studio G smartphone

Security researchers have discovered that third-party firmware included with over 2.8 million low-end Android smartphones allows attackers to compromise Over-the-Air (OTA) update operations and execute commands on the target's phone with root privileges.

Mobile experts from Anubis Networks discovered the problem this week. This is the second issue of its kind that came to light this week after researchers from Kryptowire discovered a similar secret backdoor in the firmware of Chinese firm Shanghai Adups Technology Co. Ltd..

This time around, the problem affected Android firmware created by another Chinese company named Ragentek Group.

Ragentek firmware uses an unencrypted OTA update procedure

Researchers say they've discovered the issue after one of their researchers bought a BLU Studio G smartphone from Best Buy.

They say the smartphone used an insecure Over-the-Air update system, powered by the Ragentek firmware, which contacts remote servers via an unencrypted communications channel. The lack of SSL support means an attacker can carry out a basic Man-in-the-Middle attack and fake responses from the OTA server, sending rogue commands to the user's smartphone.

While there are numerous devices and apps that fail to secure client-server communications via HTTPS, Anubis researchers say the issue goes much deeper.

Firmware OTA tries to disguise its presence

The binary responsible for the firmware OTA update operations also includes code to hide its presence from the Android OS, along with two other binaries and their processes. A developer looking at active Android processes won't be able to tell when there's an update coming to his phone.

Because this OTA system comes pre-installed on various devices and is responsible for various self-update operations, it also runs as root. Without SSL protection, this OTA system is an open backdoor for anyone looking to take control of it.

Furthermore, the firmware also includes three hard-coded OTA server domains. Only one of those three domains was registered when Anubis researchers discovered the flaw, tracked as CVE-2016-6564.

Researchers registered the other two domains. This allowed the research team not only to send commands to all smartphones running Ragentek firmware but also gather statistics about how many devices have this de-facto backdoor.

Numerous Android vendors affected

According to Anubis, multiple smartphones models from BLU Products are the most affected. BLU was also the top smartphone vendor affected by the Adups backdoor discovered by Kryptowire researchers.

Other vendors such as Infinix Mobility, DOOGEE, LEAGOO, IKU Mobile, Beeline, and XOLO, are also affected.

The "Others" category from the chart above signifies other types of devices that the researchers weren't able to identify. This may be the same backdoor or another backdoor that talks to the same OTA servers.

Anubis says it worked with Google, BLU, and US-CERT (United States Computer Emergency Readiness Team) to notify all affected vendors. US-CERT has also issued a public advisory on this matter. The advisory includes a list of affected smartphone models, and the status of patching operations.

Compared to the Adups backdoor discovered earlier this week, the Ragentek one didn't collect information on its users, and neither did it send this data to servers in China.