Nearly 3 million Android phones have been found to be vulnerable to MITM (main-in-the-middle) code-execution attacks, thanks to a secret backdoor, which came pre-installed in low-cost devices. Security researchers identified a firmware, developed by Chinese firm Ragentek Group, left devices vulnerable to remotely executed attacks that could completely hijack affected devices, many of which are in use in the US.

Researchers claimed that the most affected Android manufacturer is US-based BLU Products, with a 26% affected rate. Other companies affected are Infinix with 11%, Doogee with almost 8%, and Leagoo and Xolo with around 4% each.

"The binary responsible appears to be an insecure implementation of an OTA (Over-the-air) mechanism for device updates associated to the software company, Ragentek Group, in China. All transactions from the binary to the third-party endpoint occur over an unencrypted channel, which not only exposes user-specific information during these communications, but would allow an adversary to issue commands supported by the protocol," security researchers at BitSight said in a blog.

"The thing that scares us is a lot of these users will be unaware of the vulnerability, and they will never get an update," BitSight CTO Stephen Boyer told ArsTechnica. "This is full system compromise. This is at the root level. [Attackers with a MitM position] can do anything."

BitSight researchers said that they purchased a BLU phone from a Best Buy store and went on to launch an attack that exploited the rootkit. The attack allowed the researchers to install a "passive network capturing system" which provided them with "immediate visibility into the larger population of affected devices".

BitSight researcher João Gouveia posted a tweet, claiming that he and his colleagues were seeing connections coming in from various sectors, "including healthcare, government and banking."

There appears to be little information about the Ragentek firmware, which according to BitSight researchers, appears to be particularly difficult to detect and runs under the radar. However, researchers believe that the firmware was likely designed to deliver legitimate OTA updates to phones and its backdoor functionalities were likely unintentional.

BitSight researchers noted that the firmware was distributed via "a set of domains preconfigured in the software." When the vulnerability was discovered, only one of the domains was registered, while the remaining two domains remained unregistered, leaving them vulnerable to hackers.

"If an adversary had noticed this, and registered these two domains, they would've instantly had access to perform arbitrary attacks on almost 3,000,000 devices without the need to perform a Man-in-the-Middle attack," researchers said. BitSight's subsidiary firm AnubisNetworks is now in control of "these two extraneous domains to prevent such an attack from occurring in the future for this particular case."

This is the second time in the span of a week that security researchers have sounded an alarm about Android phones with pre-installed backdoors. Kryptowire security researchers recently warned of data from numerous Android phones being sent to servers in China. The disclosures highlight the alarming security risks left untested by manufacturers and the risks Android users can face.