We recently discussed both the backdoor-like behavior of the Moplus SDK and the related Wormhole vulnerability. Because the Moplus SDK was developed by Baidu and not publicly accessible, we initially thought the problem was limited to Baidu apps. Our latest research suggests that popular non-Baidu apps are also affected.
The growing impact
Our scanning identified more than 14,000 samples of various mobile apps that were affected. These included multiple samples for identical apps (as identified by their package name). Samples for a total of 684 apps were found to be affected, including popular apps like Baidu Map and Baidu Searchbox. The table below shows the 20 mobile apps with the most vulnerable samples identified in the wild:
|Package Name||Highest Version||Samples Gathered|
Table 1. Apps with most vulnerable samples
Affected app stores
Most of the Baidu apps available on Google Play no longer have the vulnerable code. However, there is one app (Baidu Music) that contains the code in question. According to information from Baidu, they do not maintain it anymore, and the app will be taken down from Google Play next week. We also found another third-party app (央视影音) that remains vulnerable.
|App Name||Package Name||Downloads|
|百度音乐||com.ting.mp3.oemc.android||500,000 – 1,000,000|
|央视影音||cn.cntv||100,000 – 500,000|
Table 2. Apps on Google Play with vulnerable code
For apps downloaded via the Baidu app store “百度手机助手”(com.baidu.appsearch), the most popular affected app was downloaded more than a billion times. The top 20 downloads are listed below, with official Baidu apps bolded. Official apps from sources other than Baidu are in italics.
|App Name||Package Name||Downloads (millions)||Highest version|
Table 3. Twenty most downloaded apps from Baidu with vulnerable code
Solutions and Best Practices
Baidu is working to upgrade the apps in question to remove any vulnerable code. We recommend that users upgrade to the latest versions of installed apps to protect their devices against this threat. Installing a security solution can also protect their devices against any threats that may try to exploit security vulnerabilities.
Trend Micro protects users via Trend Micro Mobile Security, which detects apps that contain the vulnerable SDK code as ANDROIDOS_WORMHOLE.HRXA before it can be installed on the device. Its app virus scanner feature can scan any installed apps to filter out malicious apps.
Cooperation with Baidu
We have been in touch with Baidu to help resolve this situation. The official reply from Baidu states that they are working on three specific items to help secure users:
- The code in question has been removed from the latest versions of official Baidu apps. As of October 30, only three apps were still affected: Baidu Maps, Baidu Input Method and Baidu Translate. Updates for these apps were released by November 4.
- Other apps on Google Play which are no longer being maintained will be taken down.
- Baidu is reaching out the developers of other apps that were built with the Moplus SDK in order to ensure that these apps are updated.
Updated on November 7, 2015 8:27 P.M. PDT (UTC-7) to include correction for the versions of the affected apps.