Baidu App Development Kit puts 100 million Android devices at risk of attack

The previous XcodeGhost incident put Apple mobile phone users in the embarrassing situation of being "transparent". Facts have proved that it is not just Apple and its mobile phone users who suffered, this time it is Baidu's turn!

According to PCWorld, a software development kit (SDK) developed by Baidu and used by thousands of Android apps contains a feature that allows hackers to gain backdoor access to user devices.

The SDK, called Moplus, is not available to the public but is integrated into more than 14,000 apps, about 4,000 of which were developed by Baidu, researchers at security firm Trend Micro said in a blog post on Sunday. Trend estimates that the total number of affected apps has more than 100 million users.

The trend analysis report stated that the Moplus SDK will open an HTTP server on the device where the affected application is installed. It does not use any authentication technology and accepts requests from any device on the Internet.

Worse still, by sending requests to this hidden HTTP server, hackers can execute pre-defined commands implemented in the SDK. These commands can be used to extract sensitive information such as location data and search keywords, as well as add new contacts, upload files, make calls, display fake messages, and install apps.

On jailbroken devices, this SDK allows silent installation of apps, meaning the user will not be prompted. In fact, Trend Micro researchers have already discovered a worm that exploits this vulnerability to install unwanted apps - ANDROIDOS_WORMHOLE.HRXA.

Trend Micro researchers believe that in many ways the Moplus flaw is worse than a flaw found in the Android Stagefright library earlier this year, as the latter at least requires hackers to send a malicious MMS message to the user or trick the user into opening a malicious link.

To exploit the Moplus flaw, a hacker would simply need to scan the entire mobile network for IP addresses that have a specific Moplus HTTP server port open, the researchers said.

Trending has informed Baidu and Google of this security issue.

Trend Micro security researchers said that Baidu has released a new version of the SDK that has deleted some commands, but it still turns on the HTTP server and some functions can still be abused by hackers.

Baidu researchers said in an email that the company has fixed all security flaws reported before October 30, there is no "backdoor" in this SDK, and inactive code will be removed in the new version of the SDK.

However, the problem lies in the speed at which third-party developers using this SDK can update their apps. The 20 most affected apps listed by Trends include apps developed by third parties, some of which have not yet been removed from Google Play.