The WormHole Vulnerability: The Number of Affected Apps is Increasing

The “WormHole” is a critical vulnerability on Moplus SDK on Android, which is used by major Baidu products, as well as some other apps.

In summary, this vulnerability is caused by “ImmortalService” – a customized HTTP service used for cross-app communication. Because “ImmortalService” uses an incorrect approach to filter requests from outside the phone, a remote attacker could use certain crafted HTTP requests to execute some pre-set functionalities of this SDK, such as to install an app from the Internet (needs root support), launch arbitrary intents, or manipulate phone contacts.

The details of this vulnerability can be found here.

It is entirely possible for an attacker to develop a worm , which can spreads itself using the WormHole vulnerability. To make matter worse if the worm spreads popular apps according to Wooyun.org, more than 100M users can become affected.

.

The Trustlook research team has searched our app database, and found the total number might be more than that. Here is the updated list of affected apps:

cn.jingling.motu.photowonder 50,000,000+
tv.pps.mobile 10,000,000+
com.baidu.baiducamera 5,000,000+
mobisocial.omlet 5,000,000+
xcxin.filexpert 5,000,000+
com.smart.softclient.music.baseline 1,000,000+
org.cocos2dx.FishGame 1,000,000+
com.smile.gifmaker 1,000,000+
com.qiyi.video.market 1,000,000+
com.baidu.input 1,000,000+
com.baidu.searchbox 1,000,000+
com.app.hero.ui 1,000,000+
com.nd.android.launcher91 1,000,000+
com.letv.android.client 1,000,000+
com.ubercab.driver 1,000,000+

Please note that the above list is a conservative estimation of the number of affected apps. The data only includes the Apps on Google Play, which has the lower bound of install numbers. Apps that were distributed via other channels are not calculated.

This blog will be updated by Nov 4 with more info about the WormHole vulnerability.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s