Just a few days ago, a backdoor was discovered in various Android smartphones that was being used to send call logs and text message archives to servers hosted in China. Now, an even more dangerous rootkit has been discovered, with devices from US-based smartphone brand, BLU, being found to be among the most affected.
Security research firm, BitSight has released an advisory about a rootkit found in the Ragentek firmware used in certain Android smartphones, mostly manufactured by Chinese OEMs. The firm carried out extensive tests using a BLU Studio G smartphone, which involved installing a tracking file using the exploit. Since the firmware allows installation of apps with elevated privileges, a compromised device can be used to do a lot of harm.
By monitoring the data transmitted to a couple of domains, BitSight identified nearly 55 smartphone models, which feature the backdoor. Many more devices with unknown identifiers were also discovered. US-based brand, BLU, is the worst-affected with about 26 percent of its smartphones found with this backdoor. The other brands include Chinese vendors such as Doogee, Leagoo and Infinix. BLU is said to be addressing the issue, but no details of the process are available yet.
According to BitSight, requests to the remote servers were largely made from phones used in institutions such as banks, hospitals and governments, where these devices probably were deployed in bulk due to low prices. Network admins or enthusiasts can monitor their traffic for requests to the following URLs to find out whether they have any affected devices in their network:
By monitoring the data transmitted to a couple of domains, BitSight identified nearly 55 smartphone models, which feature the backdoor. Many more devices with unknown identifiers were also discovered. US-based brand, BLU, is the worst-affected with about 26 percent of its smartphones found with this backdoor. The other brands include Chinese vendors such as Doogee, Leagoo and Infinix. BLU is said to be addressing the issue, but no details of the process are available yet.
According to BitSight, requests to the remote servers were largely made from phones used in institutions such as banks, hospitals and governments, where these devices probably were deployed in bulk due to low prices. Network admins or enthusiasts can monitor their traffic for requests to the following URLs to find out whether they have any affected devices in their network:
- oyag[.]lhzbdvm[.]com
- oyag[.]prugskh[.]net
- oyag[.]prugskh[.]com
The recent discoveries about backdoors in smartphones coming out of China will surely raise concerns in the global market, where many of these devices are being sold with local branding as in the case of BLU.