BLU Products, a U.S. manufacturer of low-cost Android smartphones, has patched yet another vulnerability within Chinese-made firmware that shipped in its devices, albeit 11 months after security analysts first raised flags. It's another persuasive reason to perhaps steer clear of super-cheap, Android-powered smartphones from less established manufacturers.
See Also: 2016 IAM Research: Where Financial Institutions' PAM Programs Are Falling Short
Once again, the vulnerability is in FOTA, or firmware over-the-air, software, which manages the distribution of firmware updates to large numbers of mobile devices. Firmware is low-level code in an operating system that, if faulty, can be a risk to personal data stored on a device.
The code also shipped in devices from other Android manufacturers, including Infinix, Doogee, Leagoo, Iku, Beeline and Xolo, although it's unknown if some of those firms' devices are vulnerable.
Carnegie Mellon University's CERT says in an advisory that the software's behavior "could best be described as a rookit." The software comes from Ragentek of Shanghai, a mobile phone manufacturer and software developer.
Officials with BLU Products, which is based in Doral, Fla., could not be reached for comment, but CERT's advisory indicated that BLU issued a patch on Nov. 11. The company's devices are sold at retailers including Best Buy and Amazon.com.
AnubisNetworks, which is owned by BitSight, published a blog post on Nov. 17 describing its findings. Other researchers had flagged issues on Twitter with Ragentek's software in January.
BLU's Studio G
AnubisNetworks bought at Best Buy a BLU Studio G smartphone, which was first released in January 2015. The researchers set it up and then watched network traffic coming to and from the device. Oddly, they found it was trying to reach several domain names that had been hard-coded into the firmware.
Ragentek didn't control those domains. In fact, the domains weren't even registered. The BLU phone tried to reach the domains using an unencrypted connection, which opens up a range of possible attacks.
AnubisNetworks registered the domains, which allowed it to get a rough idea of how many devices might be affected, a technique known as sinkholing.
"We have observed over 2.8 million distinct devices, across roughly 55 reported device models, which have checked into our sinkholes since we registered the extraneous domains," writes Dan Dahlberg, a BitSight research scientist, and João Gouveia, who is the CTO and co-founder of AnubisNetworks.
The researchers warned that if attackers had registered the domains instead "they would've instantly had access to perform arbitrary attacks on almost 3 million devices without the need to perform a man-in-the-middle attack."
Ragentek's binary also runs as root, a level of access that gives it complete control over the device.
Spotted Before
In January, the nonprofit research group MalwareMustDie published a post on Pastebin that came essentially to the same conclusion as AnubisNetworks. It's unclear why it took so long for the issue to be resolved, especially for such a serious vulnerability.
But researchers often have trouble flagging the interest of manufacturers and software developers, some of whom aren't terribly responsive to security reports. The lack of alarm often becomes more common down the software food chain where vendors compete largely on costs rather than other merits, such as security.
Last week, attention was focused on BLU Products after Kryptologic, an enterprise mobile security company, found one of its devices transmitted call logs and text messages every 72 hours to a server in Shanghai (see Why Did Chinese Spyware Linger in U.S. Phones?).
The FOTA software was made by Shanghai Adups Technology. Again, analysts had flagged the Adups software in the past for glaring software vulnerabilities.
BLU updated its products, and Adups apologized. The Chinese company said the version of the FOTA software that ended up on the BLU phones was actually intended for other of its clients.
The reason the software transmitted call logs and text messages was to enable better blocking of spam and unwanted marketing calls, Adups said. But the software just as easily could have been used to spy on consumers, an alarming finding given its origin in China, which closely monitors online communications of its citizens.