- December 02, 2015
- Suggested Reading
In early November 2015 several news articles reported that over 100 million Android Devices were at risk. This was due to a backdoor-like 'feature' found in the Moplus software development kit (SDK) which is distributed by the Chinese search engine giant Baidu. This issue was reported by WooYun.org (English version available), a vulnerability reporting platform in China, and was making waves due to the severity and impact of a successful exploitation, as well as the large number of potentially exposed users.
An SDK is a set of tools and libraries that make aim at making development easier. The use of one or more SDKs in app development is common practice. The downside is that the developer using an SDK usually has no or limited control over the code within SDK, and has to trust that the code was developed securely.
As Trustlook Explained in their blog entry, this lack of security in the implementation of the Moplus SDK is what caused the Wormhole vulnerability. Once an app is developed with the Moplus SDK, a web server is automatically installed and launched on the device. This web server does not implement authentication and can accept requests from any source, and provides backdoor functionalities that can be easily exploited.
Researchers at Trend Micro have identified a specific malware, dubbed ANDROIDOS_WORMHOLE.HRXA, in the wild which exploits the backdoor in Moplus SDK to automatically and periodically deploy unauthorised applications. They published an interesting technical blog entry which describes Wormhole, as well how ANDROIDOS_WORMHOLE.HRXA exploits the Moplus SDK.
Similarly to the popular Stagefright bug, this vulnerability can be exploited without the victim's knowledge or interaction. By sending requests to the Moplus SDK web server, attackers can execute predefined commands allowing them to extract sensitive information such as location data and search queries, as well as execute operations like making phone calls or install apps. An interesting article written by Pierluigi Paganini from Bit4ld lists the actions that can be performed upon successful exploitation of Wormhole.
An SDK is not an application, but rather a tool used within applications. This means that any application that uses this a particular SDK is potentially exposed to its vulnerabilities. In this case, the Moplus SDK is used by more than 14,000 Android apps, almost 4,000 of which are developed by Baidu. These apps altogether have been downloaded by more than 100 Million Android users.
According to a NZ Foreign Affairs security notice, the popular OEM Huawei developed devices that contained pre-installed apps that were developed using the Moplus SDK. This case is particularly more problematic since removing pre-installed apps is not an easy task, and in many cases impossible.
This is not the first, and will most likely not be the last time that we encounter a situation in which applications are rendered vulnerable due to third party code. The infamous Heartbleed bug is a perfect example of this. The use of SDKs, libraries, and third party code is common practice in the world of software development. One common case is the use of SDKs or libraries for Ad Provider services, where the developer simply inserts an ad library within his application to serve ads for the ad provider. Some of these tools may even be intentionally developed in an unsecure manner, such as the recently discovered SMS stealing Library in the Taomike SDK. Whether it is intentional or otherwise, third party code can easily contain security weaknesses. For this reason, individuals deciding to use such tools must do so with caution.
Baidu have since patched the Wormhole Vulnerability. However, the problem remains that all of the third-party developers that used this SDK will need to update their apps with the latest SDK version and ensure that users who already downloaded the vulnerable apps update to the latest version, and this step is out Baidu's hands.
In the report "Mobile App Advertising Guidelines", the mobile security company Lookout suggested that:
"Often, insufficient or inaccurate descriptions of third-party code within an application can be the result of an app publisher not fully understanding the implications of a given library or SDK. To this end, Ad Providers should provide a clear statement of data gathered and gating criteria (e.g. permissions required in the Android declarative permission model) with the goal of providing clarity to App Publishers regarding the additional impact that including their code may have on the privacy posture of their applications."
About "Suggested Reading" from ENISA
With the “Suggested Reading” series ENISA aims at giving the interested reader guidance on controversial and inscrutable NIS related discussions that are carried out in Media, by suggesting selected pre-reviewed articles that in our view explain the issue at hand and related circumstances in a reasonable and understandable manner. This view is derived from past experiences and common sense; in no way should “Suggested Reading” be understood as recommended course of action in a specific incident or investigation, or being a final conclusion. Feel free to get in touch with ENISA to discuss or inquire more information to the “Suggested Reading” series (firstname.lastname@example.org).