Firmware that actively tries to hide itself allows attackers to install apps as root.

Almost three million Android phones, many of them used by people in the US, are vulnerable to code-execution attacks that remotely seize full control of the devices, researchers said Thursday.

Until recently, the flaw could have been exploited by anyone who took the time to obtain two Internet domains that remained unregistered despite being hardwired into the firmware that introduced the vulnerability. After discovering the vulnerability, researchers from security ratings firm BitSight Technologies registered the addresses and control them to this day. Even now, the failure of the buggy firmware to encrypt communications sent to a server located in China makes code-execution attacks possible when phones don't use virtual private networking software when connecting to public hotspots and other unsecured networks.

Since BitSight and its subsidiary company Anubis Networks took possession of the two preconfigured domains, more than 2.8 million devices have attempted to connect in search of software that can be executed with unfettered "root" privileges, the researchers said. Had malicious parties obtained the addresses before BitSight did, the actors could have installed keyloggers, bugging software, and other malware that completely bypassed security protections built into the Android operating system. The almost three million devices remain vulnerable to so-called man-in-the-middle attacks because the firmware—which was developed by a Chinese company called Ragentek Group—doesn't encrypt the communications sent and received to phones and doesn't rely on code-signing to authenticate legitimate apps. Based on the IP addresses of the connecting devices, vulnerable phones hail from locations all over the world, with the US being the No. 1 affected country.

"The thing that scares us is a lot of these users will be unaware of the vulnerability, and they will never get an update," BitSight CTO Stephen Boyer told Ars. "This is full system compromise. This is at the root level. [Attackers with a MitM position] can do anything."


Read more: Powerful backdoor/rootkit found preinstalled on 3 million Android phones | Ars Technica