Skip to main content

Android SDK vulnerability leaves 100 million users at risk

Security researchers from Trend Micro have discovered that a software development kit used by thousands of applications is leaving Android users at risk.

The Moplus SDK was created by Chinese firm Baidu and is susceptible to backdoor functionalities. It is believed that approximately 100 million Android devices users are affected.

Read more: Hacktivism and malware: The security threats we’ll face in 2016

“This SDK has backdoor routines such as pushing phishing pages, inserting arbitrary contacts, sending fake SMS, uploading local files to remote servers, and installing any applications to the Android devices without user’s authorisation,” the Trend Micro researchers explain. “The only requirement is for the device to be connected to the Internet first before any of these routines execute. Our findings also revealed that a malware is already leveraging Moplus SDK in the wild.”

The Moplus vulnerability is particularly severe because attackers simply have to scan mobile network IP addresses for any that contain the opened Moplus HTTP server ports. Attackers can then acquire sensitive information simply by sending requests to this server. If devices have been rooted, unwanted applications can even be installed. Trend Micro has already found that a type of malware known as Wormhole has been installed using this method.

Both Baidu and Google have now been informed of the security issue and the former has responded by removing, or making inactive, any lines of malicious code. The remaining dead code will also be removed by the next update purely for the sake of clarity.

Read more: Mobile malware is being dominated by ransomware infections

Although the swift action taken by Baidu is to be welcomed, it remains to be seen how many third-party developers using Moplus will upgrade their applications built with the SDK. Only around 4,000 of the 14,000 affected apps were developed by Baidu, so there is a significant chance that much of the infected software will remain available.