A new Android vulnerability, estimated to impact 2.8 million devices worldwide at its peak, has been uncovered by security ratings firm BitSight.
The vulnerability, which affects devices out of the box, involves Android devices (including BLU Studio G from Best Buy) and an over-the-air (OTA) update mechanism associated with the software company, Ragentek Group, in China. Certain mobile phones are this vulnerable to man-in-the-middle attacks, allowing adversaries to execute arbitrary commands as a privileged user—such as extracting information or remotely wiping the device—and making it possible to gain access to other systems on a corporate network and steal sensitive information.
Many of these devices sit unknowingly on enterprise corporate networks.
According to BitSight, transactions from the binary to the third-party endpoint occur over an unencrypted channel, which not only exposes user-specific information during these communications, but would allow an adversary to issue commands supported by the protocol. One of these commands allows for the execution of system commands.
“This OTA binary was distributed with a set of domains preconfigured in the software,” the company said. “Only one of these domains was registered at the time of the discovery of this issue. If an adversary had noticed this, and registered these two domains, they would’ve instantly had access to perform arbitrary attacks on almost 3,000,000 devices without the need to perform a man-in-the-middle attack.”
BitSight’s AnubisNetworks now controls these two extraneous domains to prevent such an attack from occurring in the future, it said.
Still, the impact is significant. “We have observed over 2.8 million distinct devices, across roughly 55 reported device models, which have checked into our sinkholes since we registered the extraneous domains,” the company said. “In some cases, we have not been [able] to translate the provided device model into a reference to the real-world device. Thus, there could be additional device models affected.”
The vulnerability, which affects devices out of the box, involves Android devices (including BLU Studio G from Best Buy) and an over-the-air (OTA) update mechanism associated with the software company, Ragentek Group, in China. Certain mobile phones are this vulnerable to man-in-the-middle attacks, allowing adversaries to execute arbitrary commands as a privileged user—such as extracting information or remotely wiping the device—and making it possible to gain access to other systems on a corporate network and steal sensitive information.
Many of these devices sit unknowingly on enterprise corporate networks.
According to BitSight, transactions from the binary to the third-party endpoint occur over an unencrypted channel, which not only exposes user-specific information during these communications, but would allow an adversary to issue commands supported by the protocol. One of these commands allows for the execution of system commands.
“This OTA binary was distributed with a set of domains preconfigured in the software,” the company said. “Only one of these domains was registered at the time of the discovery of this issue. If an adversary had noticed this, and registered these two domains, they would’ve instantly had access to perform arbitrary attacks on almost 3,000,000 devices without the need to perform a man-in-the-middle attack.”
BitSight’s AnubisNetworks now controls these two extraneous domains to prevent such an attack from occurring in the future, it said.
Still, the impact is significant. “We have observed over 2.8 million distinct devices, across roughly 55 reported device models, which have checked into our sinkholes since we registered the extraneous domains,” the company said. “In some cases, we have not been [able] to translate the provided device model into a reference to the real-world device. Thus, there could be additional device models affected.”
