100 Million Android Devices at Risk Due to Baidu SDK Vulnerability

A software development kit (SDK) by popular Chinese search engine Baidu has a function that potentially grants backdoor-like access to an end-user’s device. This exploit could serve to compromise 100 million Android users.

Security firm Trend Micro has uncovered a vulnerability deemed – Wormhole that affects the Moplus SDK by Baidu. It’s a critical threat, if exploited as the Moplus SDK is found to contain backdoor vulnerabilities. As things stand, applications built from the Moplus toolkit amount to nearly 14,000 Android apps in total. Among these applications, 4014 are official Baidu apps.

The top 20 applications affected are:

  • qiyi.video
  • baidu.video
  • baidu.BaiduMap
  • baidu.browser.apps
  • baidu.appsearch
  • nd.android.pandahome2
  • hiapk.marketpho
  • baidu.hao123
  • baidu.searchbox
  • pps.mobile
  • mfw.roadbook
  • tuniu.app.ui
  • ifeng.newvideo
  • baidu.netdisk
  • quanleimu.activity
  • dragon.android.pandaspace
  • yuedong.sport
  • dongqiudi.news
  • fyzb3
  • managershare

The Moplus SDK Backdoor

Trend Micro security researchers discovered that attackers looking to take advantage of the functionality of the SDK are granted the means to launch server connections that are both unsecure and unauthenticated by certificates, while trying to connect to affected devices.

It’s important to note that the unsecured server operates without authentication and is open to accept requests from anyone on the internet, raising the threat to the possible compromise by a malicious actor.

Related article: Simple Android Hack Leaves 95% Devices Vulnerable

Researchers explain that the common presumption employed with infected toolkits is that “The issue lies in access permission control of Moplus SDK and how it should limit this access.” The reality however, is that this is barely related to any vulnerability. Instead, the SDK is shown to employ backdoor routines using ports 6259 and/or 40310 to engage in malicious activities on targeted Android devices such as:

  • Making phone calls
  • Obtaining new contact information
  • Gathering a list of the locally installed apps on the phone.
  • Pushing URLs to open web-pages
  • Locate the phone via it’s geo-location
  • Upload and download files from and to the device, among other actions.

Predictably, Trend Micro has informed both Google and Baidu of these concerns and the Chinese search giant has pushed a fix with a new version of the SDK. However, the action only translates to a partial fix as Baidu has retained some of the SDK’s functionality that was already seen as a backdoor threat.