Article Lead Image

Bk87/Shutterstock (Licensed)

User error is leaving hundreds of thousands of Android devices open to takeover

User error leaves hundreds of thousands of devices open to takeover, claims one white hat hacker

 

Chris Stokel-Walker

Tech

Posted on Nov 14, 2022

Hundreds of thousands of Android devices—including phones and TV boxes—are vulnerable to hacking because their ports are open to the internet, a hacktivist who has previously hit the headlines warns.

The hacker, who goes by the pseudonym virtrux, was at the helm of a hacking awareness campaign that caused thousands of printers worldwide to produce pro-PewDiePie messages in 2018. Virtrux was also involved in a 2020 purported hack of the U.S. Emergency Alert System.

He believes that the issue is a significant one affecting hundreds of thousands of users. 

Virtrux claims that he’s taken advantage of a vulnerability in the way that developers can access phones through the Android Debug Bridge, or ADB. “I never thought it was unusual but after the printers, it wasn’t far-fetched to see if some could be found on Shodan,” he says. When he looked, there were thousands of devices that were vulnerable.

ADB is typically used for the development of hardware and software, but it’s also part of the rooting process of a device. Manufacturers incorrectly setting up your device can lead to the port to your devices being left open to the internet. It can also be done by users going into their router and changing settings they don’t need to. 

Virtrux points out that some manufacturers open all ports to the internet by default. Likewise, if users try to root their phone, meaning changing settings so that they have access to privileged controls that enable them to alter their phone, they may be asked to enable developer mode, which leaves ports open.

“My thought process is the tool they use to root the device asks you to port forward,” virtrux says. “But with this access someone with ill intentions may install malware, add the phones or various Android-enabled TV boxes to a botnet, or mine on them.”

There are, virtrux says, “seemingly endless possibilities” for hackers once they gain access. And the number of devices is enormous; he has found 10,000 vulnerable devices on Shodan, a popular search engine to find internet-connected devices, with an estimate that there are tens of thousands more viewable through other similar search tools.

Virtrux showed the Daily Dot screenshots and videos that revealed how he could easily inject code into those open devices that would allow a hacker to surreptitiously record the target’s screen, read real-time communication data from Skype, and install and open apps of the hacker’s own choosing on devices—which could include malicious apps.

The hacktivist says he is considering commanding the devices that are open to visit a web page that would highlight the issue to the owners of them. However, he believes that the vulnerability is already known among the hacking community. 

“I have a hunch that threat actors are already using this to their advantage,” he says. “I found someone mining [cryptocurrency]—obviously not the owner—on one of the devices.”

Google declined to comment to the Daily Dot on virtrux’s findings.

The news is worrying for Alan Woodward, professor of cybersecurity at the University of Surrey. “Having ports open is not a problem per se, unless one of those ports enables remote connection or execution,” he said. “If he has found a way of remotely using ADB that could be more troublesome. You just shouldn’t be able to use ADB on a working device, never mind remotely.”

Virtrux confirmed that he was able to access devices remotely, showing the Daily Dot video and screenshots from devices he had gained access to.

Virtrux recommends that people buy Android phones only from reputable sources, that they don’t enable developer mode on any devices unless it’s needed, and that they avoid port forwarding on their router.

web_crawlr
We crawl the web so you don’t have to.
Sign up for the Daily Dot newsletter to get the best and worst of the internet in your inbox every day.
Share this article
*First Published: Nov 14, 2022, 10:04 am CST