A vulnerability has been found in Moplus SDK that Chinese web services company Baidu created for developers. This has affected at least 100 million Android devices that have apps through the vulnerable SDK.
As reported by security software company Trend Micro, the Moplus SDK has "backdoor routines" that could allow attackers to push phishing pages, insert arbitrary contacts or send fake messages without notifying users. Attackers can access the content stored on affected apps through an open HTTP server, which emerges as a vulnerability called Wormhole.
The company additionally claims that the vulnerability even enables attackers to install some malicious Android apps on rooted devices. According to the source code, the Moplus SDK sets a local HTTP server on the device in the background. This silently provides updates to a third-party client and works as a command & control (C&C) attack model.
Researchers at Trend Micro consider that an attack can be carried out to any device that has apps infected by Moplus SDK. Further, an Android 6.0 Marshmallow running Nexus 6 had been used to test its existence.
The Moplus SDK is not available for public but there are over 14,000 apps that integrated its code in the past. Of the total, 4,000 were developed by Baidu itself and are running on a large number of Android devices. Trend Micro has informed Baidu and Google about the security issue, and considered it "even worse" than the recently emerged Stagefright vulnerability.
In a statement to IBTimes UK, a spokesperson acknowledged the bugs but said "all vulnerability issues connected to the SDK on Baidu Android-based apps" have been fixed. "The remaining code that some reports identified as potentially problematic after our fix is actually dead code, with no effect at all. For clarity's sake we will remove all such dead code in the next version releases of affected apps as soon as stability can be confirmed via quality testing," the spokesperson said in an emailed statement.
Apart from fixing own apps, the spokesperson said Baidu had notified all its third-party developers about the vulnerability issue and were "told to address the issue". It is difficult to presume when all the developers will work on the fix for their apps to patch the vulnerability. In addition, Trend Micro says "not all malicious functionalities have been deleted by Moplus SDK". This means that devices are still at risk.