Germany: Backdoor Found in Four Smartphone Models; 20,000 Users Infected

An anonymous reader shares a report: The German Federal Office for Information Security (or the Bundesamt fur Sicherheit in der Informationstechnik -- BSI) has issued security alerts today warning about dangerous backdoor malware found embedded in the firmware of at least four smartphone models sold in the country. Impacted models include the Doogee BL7000, the M-Horse Pure 1, the Keecoo P11, and the VKworld Mix Plus (malware present in the firmware, but inactive). All four are low-end Android smartphones. The BSI said the phones' firmware contained a backdoor trojan named Andr/Xgen2-CY.

THose are phones?

[tomhath]

Impacted models include the Doogee BL7000, the M-Horse Pure 1, the Keecoo P11, and the VKworld Mix Plus

The first one sounds kind of dodgy. The second sounds like pure horseshit.

Re:

[Anonymous Coward]

Impacted models include the Doogee BL7000, the M-Horse Pure 1, the Keecoo P11, and the VKworld Mix Plus

The first one sounds kind of dodgy. The second sounds like pure horseshit.

"Doogee" sounds more like something you'd find in a cow pasture.

Re:

[Anonymous Coward]

I dropped a Doogee so big this morning, I had to flush TWICE.

---
Sent from my KooCoo KeeCoo.

Re:

[Mattcelt]

Thank you for chiming in, Mr. Stallman.

WTF do you expect from a "Doogee"?

[Anonymous Coward]

Doogee?!?!

People PAY for something with a name concocted by a 11-year-old boy?

Jesus Fucking Christ, it just needs a Beavis and Butthead logo.

Re:

[PCM2]

Wow. Such phoone. Soo hip. Much fiirmware. Wow.

Re:

[PolygamousRanchKid]

Soo hip.

The word hip was not in Beavis' and Butthead's vocabulary.

I seem to remember one episode where Butthead summed up his philosophy as:

"I like stuff that's cool. I hate stuff that sucks."

Re:

[Cipheron]

You missed the point of grandparent post. Their post was written in the Doge meme language. (because Doge and Doogee sound similar). Nothing to do with Beavis & Butthead.

My smartphone was also infected

[ffkom]

It contained a Trojan called "Android" that constantly sent data to some C&C server at Google. It tried to trick me into exposing all kinds of sensitive data to it. But luckily, I noticed this early after buying, and wiped it from the system, now running a proper Lineage installation without any "Google apps" tainting the device.
f-droid.org turned out to be the only reliable source of non-malware that I needed.

Google Play Services

[DrYak]

now running a proper Lineage installation without any "Google apps" tainting the device.
f-droid.org turned out to be the only reliable source of non-malware that I needed.

My bank's 2FA app complains about my phone being rooted or something as long as it doesn't see a weird virus called com.google.android.gms (Google Play Services).
microG [microg.org] (available [microg.org] on the above mentionned f-droid.org [f-droid.org]) turns out to be an opensource non-malware implementation that keeps the bank's app happy.

Re:My smartphone was also infected

[swillden]

It contained a Trojan called "Android" that constantly sent data to some C&C server at Google.

Android (ignoring Google Play Services; I'll get to that) actually sends very little data to Google. Specifically, it sends Android checkin messages. Various system daemons collect information about system health and report them via checkin. This data is anonymized and its purpose is to let Android engineers know about problems and, to a lesser degree, usage patterns. For example, Android Keystore (which I own) collects some data about what types of cryptographic keys are used, and especially how often deprecated modes of operation are used. The latter data shows that we need to do a little more developer education to get the usage of deprecated modes low enough that we can safely remove them.

If you want to see exactly what Android sends, search AOSP for usages of "DropBoxManager".

Google Play Services sends a lot more data, of course, but only with user permission -- though in many cases the permission is implicit in the decision to use a particular Google or third-party app, or might have to be opted out of. More sensitive data, such as information about apps installed (including sideloaded apps) or location data has to be explicitly opted into. Much of what people assume Google Play Services may send, it does not even have access to. For example, it has no ability to read data belonging to any apps, unless those apps provide the data to it via Play Services APIs.

If you choose to use Google's backup service (I think it's opt-in), then device settings and configuration data, SMS history and some app data is backed up to Google. Apps can opt out of backup, or they can specify that they want only certain files to be backed up. However, Google cannot read any of this backed-up data. The data is encrypted on-device using a randomly-generated key. The randomly-generated key is then encrypted with a key derived from your lockscreen password. The encrypted data is sent to Google Drive. The encrypted key is sent to a different system which consists of a farm of security chips, which store the encrypted key and will only divulge it when presented with a secret derived from your lockscreen password. The chips do brute force mitigation, limiting attempts to present a password-derived secret to a low rate, and perhaps with an absolute upper limit on the number of attempts. The purpose of this is to ensure that no one at Google can use the system to discover your password or recover the data encryption key. I believe the chips implement insider attack resistance, too (see this blog post [googleblog.com] for an explanation of what that means, though that's about insider attack resistance for Android device security chips, and the backup service chips are a slightly different context).

Of course, when you want to recover your backup by, say, restoring it onto a new phone, you enter your old lockscreen password, your new device derives the secret and sends it up. The security chip checks it and divulges your encrypted data encryption key, which is sent to your new phone. Your new phone uses your password to derive the key needed to decrypt the decryption key. Then your encrypted backup is sent down to your phone, which can decrypt and install it.

In general, Google engineers are very careful not to send any data to Google without permission. In many cases, we avoid sending any data to Google at all. For example, I'm working on electronic driver's licenses for Android, and my architecture is designed to keep the data far away from any Google server.

Re:

[fph il quozientatore]

So what prevents someone sufficiently powerful at Google to intercept the key while it's being sent to the security chips, and then decrypt it with some brute force (because, let's be serious, no one has a cryptographically strong lockscreen password)? Just "don't be evil" good will, I presume?

Re:

[swillden]

So what prevents someone sufficiently powerful at Google to intercept the key while it's being sent to the security chips

The key is encrypted with a public key corresponding to a private key that exists only in one of the security chips. It's actually a little more subtle and complex than that, to address operational issues, but from a cryptographic security point of view, that's what it boils down to.

Just "don't be evil" good will, I presume?

Nope. Security engineers don't think that way.

Re:

[swillden]

Yeah right, I'm giving "implicit permission" by using something I'm not even allowed to uninstall.

You can disable it.

Re:

[dargaud]

I wish stuff like that was easier to install. I just spent hours trying to root my phone and gave up, couldn't find the right files and many pages with explanations apparently were just auto-generated generic crap that never applied to that model in the 1st place.

Android

[Anonymous Coward]

say no more

It's high time Google got serious about security. Monthly security patches should be required for ALL phone models, despite the manufacturers' reluctance to actually support their products.

Why so many Chinese phone companies?

[larryjoe]

How are there so many Chinese smartphone companies? I would think that designing, manufacturing, supporting, marketing, and selling a phone would be a challenging task. Do these companies have significant headcount, or do there exist ODM/OEM companies that produce phones for small companies that can then focus on the marketing and selling aspect?

Re:

[larryjoe]

Uhm, where have you been the past decade? All the electronics companies outsourced their phone manufacturing to China, which then immediately made copies and cheap knock-offs galore. Or are you just being sarcastic?

No, serious question, but I was asking more about ODM for smartphones, where a small team of 8 engineers, sales, etc. could basically spec out and order custom-designed and manufactured phones under their own brand name. So, something like what Vizio did to get started with TVs and what a lot of companies did with laptops.

Re:

[rtb61]

Think entire old production lines. New model needs redone production line. So rebuild the production line or sell it and build a new one in the factory next door and once complete the old production line is dismantled and rebuilt in another factory under a new brand.

Re:

[PCM2]

Africa, too (which is an entire continent), where they're often sold on the grey market. There are a lot of places where the last couple of generations skipped landlines altogether (because nobody was building out the infrastructure) and went with mobile phones.

Re:

[Luthair]

I imagine you get zero support beyond the carrier. And as carriers have demonstrated they don't care at all about updating phones so from their perspective this is a win.

Re:

[angel'o'sphere]

In the rest of the world, phones are no sold by carriers, but by phone companies ...

Re:

[AHuxley]

The average EU consumer likes low cost products?
Its all the consumer can afford after all the extra EU nation tax they have to pay.

Re:

[rtb61]

Still it does enormous damage to the tech reputation of China that such bad products are allowed out with little reaction from the government of China. In the current climate this can do enormous damage to the reputation of Chinese tech products, pretty much treasonous activity considering the harm these nothing companies do to a company like Huawei, they can all be targeted by the same marketing attack because the Government of China actively fails to publicly pursue these cases and prosecute those who act

Re:

[sad_]

they can produce these phones at minimal costs, people like to buy cheap shit.
no need for support or marketing at all.

Re:

[thegarbz]

How are there so many Chinese smartphone companies?

Yeah that's what I'd like to know. How is it that a group of people that make up 1/7th of the population of the world don't have a much smaller presence in the smartphone market! I'm absolutely perplexed!

That they know of

[SuperKendall]

They list four models but who is to say how many other low end smartphones have the same problem.

Anything that is super cheap is a good indicator that you are the product, not the hardware you are buying... from smart TV's to smart phones to probably cheap smart toilets, you have to go Full Littlefinger and image what is the worst thing this product could be doing.

Re:

[BlackOverflow]

It's part of the charm of Engrish [engrish.com].

What? Not Huawei?

[Anonymous Coward]

With all the fuss about the security risks of Huawei phones, shouldn't there be lots of security researchers making a name for themselves by combing through Huawei phones to expose their backdoors?

Any teeny tiny vulnerability found on Huawei phones would immediately make front page material, and they cannot find any?!?!

How shocking! Security researchers around the world must be conspiring to hide Huawei backdoors just because they hate Trump!

Huawei

[reanjr]

None of those seem to be Huawei phones. Stick with the narrative, Germany!