Almost three million Android phones, many of them used by people in the US, are vulnerable to code-execution attacks that remotely seize full control of the devices, researchers said Thursday.
Until recently, the flaw could have been exploited by anyone who took the time to obtain two Internet domains that remained unregistered despite being hardwired into the firmware that introduced the vulnerability. After discovering the vulnerability, researchers from security ratings firm BitSight Technologies registered the addresses and control them to this day. Even now, the failure of the buggy firmware to encrypt communications sent to a server located in China makes code-execution attacks possible when phones don’t use virtual private networking software when connecting to public hotspots and other unsecured networks.
The firmware dangerously allows apps with escalated privileges to be installed, with BitSight writing, "The fact that the device reached out to defined head-ends immediately after initialization implies that the devices are affected by this issue out of the box, and were not subsequently compromised through other means, such as through a subsequent update." One BitSight researcher took to Twitter to describe the scope of the vulnerability:
We're seeing lots of connections coming from all sorts of sectors, including healthcare, government and banking. Scary stuff.
This from one of the researchers who discovered the backdoor/rootkit preinstalled on 3 million Android phones. https://twitter.com/jgouv/status/799697427213205504 …
The man-in-the-middle attack (MITM) that is possible with this type of exploit is compounded by the fact that Ragentek does not encrypt communications sent to and from affected Android devices. Even more damning is the fact that code-signing is also not employed, which would allow a remote attacker to execute malicious code with root privileges using the over-the-air update mechanism. Of the nearly 3 million Android devices that are affected, 55 different models are caught up in the mix.