Nearly three million Android handsets are vulnerable to attacks that could secretly install malware

According to a report published today, nearly three million Android handsets are vulnerable to man-in-the middle-attacks that could turn over full control of the handsets to hackers. The affected phones are currently residing in various regions of the world with the U.S. the number one location. The attack hits at root level and sends device information and more to a server in China, and to two domain names that were hard-wired into the affected handset's firmware.

Security firm BitSight Technologies registered the two domain names and control them. Since taking over these two domain names, 2.8 million devices have used it to try to connect to find software that can be used with with phones that have been rooted. In other words, the vulnerability could allow the installation of malware on affected handsets, without the phone's owner ever knowing. The malware, installed as apps, could track keystrokes, bug calls, and more.

This news comes on the heels of a report in the New York Times that said certain software from a Chinese company named Shanghai Adups Technology, became a back door on certain Android devices. Servers in China reportedly received information from these handsets including location data, texts, and the calls made on each phone.

Phones manufactured by ZTE, Huawei and BLU were mentioned in the Times report as having the so-called Adups software installed. Both ZTE and Huawei reached out to us with official statements. ZTE said that none of its U.S. devices contained the software, and Huawei said that it never did any business with the company. For its part, BLU CEO Samuel Ohev-Zion told the New York Times that the company had no knowledge of the Adups software. He also said that the software is not on any BLU handset currently in its lineup. The vulnerability discovered by BitSight has nothing to do with the Adups software.

According to BitSight, 55 known Android models tried to send data to the two sink holes that it owns. Of the 55 models, 26% were manufactured by BLU. Infinix was next with 11%, and Doogee was third with 8%. 47% of the phones did not give information that could pinpoint the manufacturer. The devices connecting to the domains came from different sectors including government, healthcare and banking.

Of the manufacturers whose phones appear to be involved, only Miami's BLU has promised to issue an update to get rid of this flaw. BitSight wasn't sure if the update would be installed automatically, or if it had to be manually downloaded. The security firm said that BLU did not respond to calls seeking comment. BitSight purchased a BLU Studio G from a Best Buy store, and discovered that it sent to the server in China information pertaining to the device itself; that included the unique IMEI number that identifies the phone.

The Depart of Homeland Security issued a CERT advisory about the vulnerability, listing three hosts that the affected phones are trying to communicate with. Note that the first one listed is the server in China, while the other two are the sink holes owned by BitSigtht. The warning listed the Android phones affected, which are:

• BLU Studio G
• BLU Studio G Plus
• BLU Studio 6.0 HD
• BLU Studio X
• BLU Studio X Plus
• BLU Studio C HD
• Infinix Hot X507
• Infinix Hot 2 X510
• Infinix Zero X506
• Infinix Zero 2 X509
• DOOGEE Voyager 2 DG310
• LEAGOO Lead 5
• LEAGOO Lead 6
• LEAGOO Lead 3i
• LEAGOO Lead 2S
• LEAGOO Alfa 6
• IKU Colorful K45i
• Beeline Pro 2
• XOLO Cube 5.0

source: BitSight, CERT  via arstechnica