Millions of Android Devices Vulnerable to Remote Hijacking: Baidu Wrote the Code, But Google Made it Possible

Last month, Chinese security researchers uncovered a security vulnerability in an Android software library developed by the Chinese search giant Baidu, and when it comes to security vulnerabilities, this one’s a whopper. It allows an attacker to remotely wreak all sorts of havoc on someone’s phone, from sending fake SMS messages to downloading arbitrary files to installing other apps without the user’s authorization.

The widespread deployment of the vulnerable software library makes things even worse. The library, known as the Moplus SDK, is used by over 14,000 separate Android apps. By some estimates, as many as 100 million unique Android devices were vulnerable. And that isn’t even the worst of it.

Further investigation by researchers at Trend Micro showed that this wasn’t just the result of some security bug. The Moplus SDK was actually designed to do all the terrible things described above. That’s right: Baidu apparently actually built the capability into its SDK to remotely upload files, install apps, and trigger all sorts of other actions—and this capability existed on every device on which an app that contained the Moplus SDK library had been installed.

Digging a little deeper, it’s obvious this was no accident. Back in 2013, Baidu applied for and received a Chinese patent on a method for triggering actions within a mobile app by having a web service send the mobile app a web request—in other words, precisely the backdoor functionality Moplus SDK contained. 1

Obviously, the vast majority of the blame for this catastrophe should fall on Baidu. But we think a small part of the blame should fall on Android’s permission system as well.

Android’s Permission System Was Broken…

Up until Android 6 (Marshmallow), Android users were given an all or nothing choice: either give an app permission to do whatever it requested, or don’t install the app. This kind of Hobson’s choice led to user apathy about permissions. (Why bother examining all the permissions the app is requesting if you don’t really get a choice about specific permissions?) At the same time, app developers realized they could ask for any permissions they wanted, since only about half of users have ever chosen not to install an app based on its permissions. (Why not have your flashlight app access a phone’s location if it means you can display higher-revenue location-targeted ads in your app?)

The result was an environment in which apps could request permissions unrelated to their core functionality, and some percentage of users would install them anyway. This includes apps bundled with the Moplus SDK—every such app explicitly asked for all the permissions it needed in order to enable Moplus SDK’s backdoor capabilities. The difference this time was what most users would normally shrug off as a privacy-invasive but otherwise harmless request for excess permissions turned out to be a request by a vulnerable backdoor system that endangered users’ security.

Fortunately, there’s a light at the end of this long, dark tunnel. The latest version of Android features a completely new permission system. In Android 6, when an app tries to use a permission for the first time, Android will show a popup to the user. The user can then decide whether or not to let the app use that permission.

This means users finally have a real choice when it comes to what info or capabilities they want to give their apps. While this system wouldn’t stop all of the malicious effects of Moplus SDK (e.g., a map app which uses location data for both its main functionality as well as for sending to an attacker) it would stop some of the most egregious examples (e.g., a flashlight app that tries to access location data).

…But Android’s Permissions Still Have a Huge Security Hole

But Google could, and should, do more. For one thing, Android currently gives every app permission to access the Internet automatically—without even notifying the user, much less asking their consent. In the past, Google has claimed that this is because apps without Internet access could exfiltrate data to servers through other surreptitious means (via an intent, for the Android devs out there), so blocking Internet access would be pointless.

This argument is a red herring. If apps with Moplus SDK had to ask for Internet access, it’s entirely possible that many users would have denied giving some of the apps that permission—thus completely eliminating their risk. In other words, while it’s true that apps without Internet access could still find sneaky ways to leak data without telling users, it’s also true that blocking Internet access is a necessary first step to keep many apps from doing so.

So what’s the real reason Google won’t expose Internet access as a top-level permission?

It’s the same reason they’ve blocked apps like Disconnect from the Play Store. Google is worried that giving users a choice about which apps are communicating about them could put a dent in their lucrative advertising business. After all, a flashlight app without Internet access can’t display ads.

The problem is that security and privacy are two sides of the same coin. By refusing to give users a choice about whether or not apps have Internet access, Google is putting its users at risk and sending the message that it cares more about its bottom line than its users’ security.

Fortunately for Google, this is an easy fix—just include Internet access as one of the permissions apps have to request in the next version of Android. Otherwise, Moplus SDK won’t be the last major Android security catastrophe.

• 1. Thanks to Imbushuo and Arthur2e5 for pointing the patents out to us, and to 木卡杨 on Zhihu.com for digging them up in the first place.