While Baidu’s Moplus SDK may not be available to the public, it has already made its way into more than 14,000 Android applications, of which 4,000 are developed by Baidu itself. The SDK allows its apps to open an unsecured and unauthenticated HTTP server connection. If all the downloaded figures for these apps are put together, over 100 million Android users may be in danger. According to Trend Micro, the Moplus SDK automatically and silently launches an HTTP server on the user’s smartphone, which means that users will not be prompted for confirmation. These are a few of the scariest things the Moplus SDK can do:
get phone details send SMS messages make phone calls add new contacts download files on the device upload files from the device get a list of local apps silently install other apps (if the device is rooted) push Web pages get phone’s geolocation, and more.
To make things worse, the attackers can execute predefined commands that were implemented in the SDK by sending requests to this hidden HTTP server. Trend Micro has currently detected the SDK using the port 6259 or 40310. The attacker can exploit the Moplus SDK to gain remote access and perform remote code execution, which include adding new contacts, uploading local files to remote servers, making phone calls, sending fake SMS, pushing phishing pages, and installing any other apps or malware on Android devices without user’s authorization. Since the SDK automatically deploys the Web server when an app that includes the Moplus SDK is started, attackers only need to scan a mobile network for the two ports and find vulnerable devices they can abuse. Trend Micro have already detected a malware (ANDROIDOS_WORMHOLE.HRXA) in the wild that uses Moplus SDK to automatically and periodically deploy unwanted applications. When it comes to user devices, the applications will be installed silently if it is rooted. In the latest update from Baidu, they have already removed the malicious codes in the Moplus SDK and fixed the issue. They have eliminated the SDK’s ability to download or upload files, scan for local apps, add new contacts, or scan downloaded files. All of the other functionality was left intact. However, upon checking the latest code of Baidu Map, Trend Micro found out that they have still kept the NanoHttpd server open and active in user devices with the binded port still at 40310.