The China's Google-like Search Engine Baidu is offering a software development kit (SDK) that contains functionality that can be abused to give backdoor-like access to a user's device, potentially exposing around 100 Million Android users to malicious hackers.

The SDK in question is Moplus, which may not be directly available to the public but has already made its way into more than 14,000 Android apps, of which around 4,000 are actually created by Baidu.

Overall, more than 100 Million Android users, who have downloaded these apps on their smartphones, are in danger.

Security researchers from Trend Micro have discovered a vulnerability in the Moplus SDK, called Wormhole, that allows attackers to launch an unsecured and unauthenticated HTTP server connection on affected devices, which works silently in the background, without the user's knowledge.
- See more at: Backdoor in Baidu Android SDK Puts 100 Million Devices at Risk - The Hacker News
  • Like
Reactions: Kent and Kuttz


Security researchers from Trend Micro have discovered that a software development kit used by thousands of applications is leaving Android users at risk.

The Moplus SDK was created by Chinese firm Baidu and is susceptible to backdoor functionalities. It is believed that approximately 100 million Android devices users are affected.

“This SDK has backdoor routines such as pushing phishing pages, inserting arbitrary contacts, sending fake SMS, uploading local files to remote servers, and installing any applications to the Android devices without user’s authorization”, the Trend Micro researchers explain. “The only requirement is for the device to be connected to the Internet first before any of these routines execute. Our findings also revealed that a malware is already leveraging Moplus SDK in the wild”.

The Moplus vulnerability is particularly severe because attackers simply have to scan mobile network IP addresses for any that contain the opened Moplus HTTP server ports. Attackers can then acquire sensitive information simply by sending requests to this server. If devices have been rooted, unwanted applications can even be installed. Trend Micro has already found that a type of malware known as Wormhole has been installed using this method.

Both Baidu and Google have now been informed of the security issue and the former has responded by removing, or making inactive, any lines of malicious code. The remaining dead code will also be removed by the next update purely for the sake of clarity.

Although the swift action taken by Baidu is to be welcomed, it remains to be seen how many third-party developers using Moplus will upgrade their applications built with the SDK. Only around 4,000 of the 14,000 affected apps were developed by Baidu, so there is a significant chance that much of the infected software will remain available.