Over the past week it’s come to our attention that a select number of Android phones manufactured by ZTE have been found to contain a poorly protected setuid shell that can be used to gain elevated privileges – also known as ‘root’ access.This type of access allows an attacker full control over a target device – which includes the ability to install or uninstall applications without notice and access to any sensitive personal information on a device.
One might ask, what is the setuid shell? When installing an app, Android by default creates a ‘UID’ (aka User ID) specifically for that package so that it can have its own private resources / storage space. When an app is deleted, so is the corresponding UID. One very special UID is ‘root’, and when something runs as this UID, they have access to everything on the system. This setuid shell, when run, allows an application to grant itself root privileges and ‘run as root’.
This particular vulnerability appears to be limited to a single model of mobile phone distributed through MetroPCS in the US – the ZTE Score M. While acknowledging this issue, ZTE has stated that they are actively working on a security patch and expects to send the over-the-air update to affected users in the very near future. ZTE has publicly denied that any other devices are affected. In no way are other, non-ZTE devices affected by this issue.
What Does it Mean?
Upon further investigation, we’ve found evidence that this issue may actually be an actively used channel by which preloaded applications – such as MetroPCS Visual Voicemail or MetroStudio – can be installed or uninstalled on a given device.
The Technical Details
On affected devices, the setuid shell in question is located at /system/bin/sync_agent. Access is extremely weakly protected – all that’s needed to gain root privileges is to provide a password. That password just happens to be hard–coded into the software and stored in plain text: ‘ztex1609523’.
As mentioned above, the sync_agent tool appears to be used to manage preloaded applications. An example command used to uninstall the ‘MetroStudio’ application using sync_agent and this password is as follows:
sync_agent ztex1609523 pm uninstall com.metropcs.android.metrostudio
How to Stay Safe
Anyone that currently uses a ZTE Score M as their primary phone should be especially careful about any applications that they install on their device. While this issue does not expose a remotely accessible vulnerability on affected phones, it is an issue that could be exploited by targeted, malicious applications installed to the phone. In addition, affected users should download and install patches provided by ZTE and/or Metro PCS as soon as they are rolled out to their device.