November 4, 2015 by

100 Million Android Devices at Risk Due to Baidu SDK Vulnerability

A software development kit (SDK) by popular Chinese search engine Baidu has a function that potentially grants backdoor-like access to an end-user’s device. This exploit could serve to compromise 100 million Android users.

Security firm Trend Micro has uncovered a vulnerability deemed – Wormhole that affects the Moplus SDK by Baidu. It’s a critical threat, if exploited as the Moplus SDK is found to contain backdoor vulnerabilities. As things stand, applications built from the Moplus toolkit amount to nearly 14,000 Android apps in total. Among these applications, 4014 are official Baidu apps.

The top 20 applications affected are:

  • qiyi.video
  • baidu.video
  • baidu.BaiduMap
  • baidu.browser.apps
  • baidu.appsearch
  • nd.android.pandahome2
  • hiapk.marketpho
  • baidu.hao123
  • baidu.searchbox
  • pps.mobile
  • mfw.roadbook
  • tuniu.app.ui
  • ifeng.newvideo
  • baidu.netdisk
  • quanleimu.activity
  • dragon.android.pandaspace
  • yuedong.sport
  • dongqiudi.news
  • fyzb3
  • managershare

The Moplus SDK Backdoor

Trend Micro security researchers discovered that attackers looking to take advantage of the functionality of the SDK are granted the means to launch server connections that are both unsecure and unauthenticated by certificates, while trying to connect to affected devices.

It’s important to note that the unsecured server operates without authentication and is open to accept requests from anyone on the internet, raising the threat to the possible compromise by a malicious actor.

Related article: Simple Android Hack Leaves 95% Devices Vulnerable

Researchers explain that the common presumption employed with infected toolkits is that “The issue lies in access permission control of Moplus SDK and how it should limit this access.” The reality however, is that this is barely related to any vulnerability. Instead, the SDK is shown to employ backdoor routines using ports 6259 and/or 40310 to engage in malicious activities on targeted Android devices such as:

  • Making phone calls
  • Obtaining new contact information
  • Gathering a list of the locally installed apps on the phone.
  • Pushing URLs to open web-pages
  • Locate the phone via it’s geo-location
  • Upload and download files from and to the device, among other actions.

Predictably, Trend Micro has informed both Google and Baidu of these concerns and the Chinese search giant has pushed a fix with a new version of the SDK. However, the action only translates to a partial fix as Baidu has retained some of the SDK’s functionality that was already seen as a backdoor threat.

 

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Former Rutgers Student Pleads Guilty to Creating Mirai Botnet

A former Rutgers university student is among three men who pleaded guilty to creating the dreaded...

Read more arrow_forward

Hackers Invade Safety System of Critical Infrastructure Facility

Hackers, presumed to work for a nation-state, recently hacked a safety system belonging to a...

Read more arrow_forward

New Ransomware ‘Spider’ Threatens Wipeout in 96 Hours

A new strain of ransomware discovered by security researchers encrypts files and gives victims a...

Read more arrow_forward