Got a cheap-and-cheerful Android phone from BLU, Infinix, Doogee, Leagoo, IKU, Beeline or Xolo? It might be harbouring some badware in the firmware.
The issue affects phones that use an over-the-air update mechanism from Chinese company according to BitSight researcher Dan Dahlberg and Anubis Networks' João Gouveia and Tiago Pereira.
Since a firmware update runs at root, the phones in question are vulnerable to pretty much anything a malicious server might install. Which means a keylogger, bugging software, or anything else an attacker might contemplate.
In a twist that doesn't look like an accident, the vulnerable process tries to hide itself from the user and has a command that would let the manufacturer turn it off for six months or until the phone is rebooted.
The researchers say Regentek doesn't encrypt firmware updates, making it vulnerable to a man-in-the-middle attack, and as well as the BLU Studio G they tested, they estimate about three million phones in America are vulnerable.
The sub-$100 phone they tested started by trying to contact a Regentek domain immediately after initialisation; then another two unregistered domains that Anubis acquired (watching the traffic to those domains provided the estimated number of affected phones).
Like the backdoor discovered last week by Kryptowire, the Ragentek firmware phones home with information like IMEI (the device ID), phone numbers (there might be two, since the BLU Studio G is a dual-SIM unit), country and more.
Some reverse engineering of the software turned up the snippets that processes in question (
/system/bin/debugs) try to hide themselves from the user, and can be sent to sleep by the server.
The Carnegie-Mellon CERT has tagged the issue CVE-2016-6564 and is tracking affected vendors for updates.
Like last week's Adups spyware, the Regentek firmware is present on phones sold outside China, including kit offered by prominent retailers such as Best Buy and Amazon. ®