Setting the Record Straight on Moplus SDK and the Wormhole Vulnerability

A vulnerability known as Wormhole that reportedly affected the software development kit (SDK), Moplus by Baidu is making waves due to the severity of the impact once successfully exploited. The said vulnerability was discovered by WooYun.og, a vulnerability reporting platform in China.

However, as our investigation on this security bug unfolded, we found out that the Moplus SDK has backdoor functionalities that are not necessarily due or related to a vulnerability. Currently, people perceived that the issue lies in access permission control of Moplus SDK and how it should limit this access. Hence, the notion that it is vulnerability-related when in actual this SDK has backdoor routines such as pushing phishing pages, inserting arbitrary contacts, sending fake SMS, uploading local files to remote servers, and installing any applications to the Android devices without user’s authorization.   The only requirement is for the device to be connected to the Internet first before any of these routines execute. Moplus SDK has been integrated to numerous Android apps, which affected 100 million Android device users. Our findings also revealed that a malware is already leveraging Moplus SDK in the wild.

In this blog entry, we shed light on the Moplus SDK’s malicious codes and the risks these pose to Android devices.

moplus1

Figure 1. A malware uses the Moplus SDK to silently install itself on the device.

Digging through the Moplus SDK

Moplus SDK is created by Baidu, a search engine giant in China.  For our investigation, we examined two different apps, Baidu Map (com.baidu.BaiduMap, 8.7.0) and “奇闻异录”( com.ufo.dcb.lingyi, 1.3). The SDK versions are different, but most codes are same

moplus2

Figure 2. Moplus SDK included in com.ufo.dcb.lingyi

moplus3

Figure 3. Moplus SDK included in com.baidu.BaiduMap

How is it integrated to apps?

From the application manifest file, the Moplus SDK is included in an independent process. The main service called com.baidu.android.moplus.MoPlusService, can be triggered by different broadcast receivers, including the device on boot event.

moplus4

Figure 4. Moplus is integrated into an independent background. In effect, the malicious process will auto-start at every device boot up.

How does Moplus SDK function as backdoor?

When a user launches an application, Moplus SDK automatically sets up a local http server on the device in the background. It keeps monitoring the messages that go through the socket. To accomplish this, it integrates and modifies NanoHttpd, a simple open source HTTP server written in Java, into its code.

moplus5

Figure 5. Moplus SDK integrates and modifies NanoHttpd into its code.

The TCP port bind to this HTTP server is not always same. In our case, we found it is port 6259 binded in com.ufo.dcb.lingyi while it’s port 40310 for com.baidu.BaiduMap.

moplus6

Figure 6. TCP port binded to local HTTP server is not always same.

The HTTP server will keep listening to the TCP port. It will receive and parse messages sent from remote clients. Once there is new HTTP request, it will get and parse the message header and body, and start calling its own tasks by overriding the “server” function as specified in NanoHttpd documents.

moplus7

Figure 7. Monitor HTTP requests from socket connection

moplus8

Figure 8. Override “serve” function to call its own malicious tasks

This is a typical command & control(C&C) attack model. Compare with traditional C&C attack, the only difference is in this case, the server is at the user side, but attack client can be anywhere. There are lots of malicious functionalities like downloading and uploading of files etc. involved in the SDK, each serve as a single class file.

moplus9

Figure 9. Malicious functionalities supported by Moplus SDK

moplus10

Figure 10. Map between malicious commands and their corresponding source classes

Based on the above screenshots, an attacker can remotely get locations, searchbox infos, package information and other sensitive data from user devices. It can remotely add contacts, scan download files and upload specific files on user devices. All of these can be simply done by sending an HTTP request from anywhere.

moplus11

Figure 11.   A case of batch inserts arbitrary contacts

A special command, “sendintent,” can be used to send local intent on devices. As such, this can remotely make phone calls, send bogus messages, and install arbitrary apps without the user’s consent.

moplus12

Figure 12.  A command dubbed as “sendintent” can be used by an attacker to do malicious controls on the user device.

The SDK also supports silent APK installation and differentiate rooted devices.

moplus13

Figure 13. Support installing application silently

moplus14

Figure 14. Differentiate root users to do more aggressive attacks

These details clearly solidify our findings that it is a backdoor malware.  An attack can be done to any devices already infected by Moplus SDK. We have a short demo on Nexus 6 with Android 6.0 up to date (see figures 16-18). When the Baidu Map is launched, one can find that the malicious service (bdservice_v1) is always running in the background.

moplus15

Figure 15. Malicious service, bdservice_v1 is always running in the background.

moplus16

moplus17

moplus18

Figures 16-18.  In this series of images, we depicted how another contact is added to the mobile device. 

Since there is no identity authentication in the local HTTP server (which is set up by Moplus SDK), an attack can be triggered not only by an App developer but by anyone. With just one command, an attacker or cybercriminal can remotely control the infected device. In addition, they only need to scan the full network segment with NMAP to test TCP port 6259 or 40310 status. All Android devices marked with port status, OPEN can possibly be remotely controlled. Note that all devices under the same LAN as well as under the same 3G/4G networks can be attacked.

This is a critical issue, perhaps even worse than Stagefright vulnerability that requires phishing links to web pages or user phone number, which are then used to send malicious MMS. With this security issue, attackers just simply scan the network IP and require no action from the user’s end or any social engineering attacks.

Other findings and countermeasures

We have detected a malware (ANDROIDOS_WORMHOLE.HRXA) in the wild that uses Moplus SDK to automatically and periodically deploy unwanted applications. When it comes to user devices, the applications will be installed silently if it is rooted.

Sha1: 2FA40A5302D92FB0C5C64CF6197F2D671BA7C30D.

What are the apps that integrated Moplus SDK?

Moplus SDK is not an open SDK which can be only possibly used by Baidu. However, based on our data, there are total of 14112 apps that integrated this SDK, among them 4014 are Baidu official apps. The top 20 hit applications are list below:

  • com.qiyi.video
  • com.baidu.video
  • com.baidu.BaiduMap
  • com.baidu.browser.apps
  • com.baidu.appsearch
  • com.nd.android.pandahome2
  • com.hiapk.marketpho
  • com.baidu.hao123
  • com.baidu.searchbox
  • tv.pps.mobile
  • com.mfw.roadbook
  • com.tuniu.app.ui
  • com.ifeng.newvideo
  • com.baidu.netdisk
  • com.quanleimu.activity
  • com.dragon.android.pandaspace
  • com.yuedong.sport
  • com.dongqiudi.news
  • air.fyzb3
  • com.managershare

In the latest update from Baidu, they already removed the malicious codes in the Moplus SDK and fixed the issue in its latest products. Upon checking the latest code of Baidu Map, we found out that they still keep the NanoHttpd server open in user devices with the binded port still at 40310.

moplus19

Figure 19. Local HTTP server is kept in the latest Moplus update with same TCP port hardcoded.

They removed some malicious commands and their corresponding codes. They also remove the malicious part of installing applications silently and automatically for rooted devices. As seen in figure 21, not all malicious functionalities have been deleted by Moplus SDK, making devices still at risk.

moplus20

Figure 20. Part of malicious commands remain in the latest Moplus SDK.

moplus21

Figure 21. Only malicious functionalities in red part have been removed in the latest Moplus SDK. 

How does Trend Micro protect users?

Trend Micro protects users via its Trend Micro Mobile Security that detects the malicious SDK (ANDROIDOS_WORMHOLE.HRXA) before it can be installed on the device. Its app virus scanner feature can scan installed apps to filter out the malicious apps. Our unlimited updates and cloud scanner technologies ensure continuous protection from any mobile malware.

We also recommend users to uninstall those infected applications unless there is an upgrade that confirms that the malicious behavior of the SDK has been totally removed. We’re currently monitoring this for any updates.

We already informed Google and Baidu regarding this security issue.

With additional data from threat analyst Jordan Pan. 

Read more: Setting the Record Straight on Moplus SDK and the Wormhole Vulnerability

Story added 1. November 2015, content source with full text you can find at link above.