Security researchers have discovered a problematic Android update mechanism that exposes user data in plain text and risks full remote compromise of smartphones.
Researchers from BitSight Technologies' Anubis Networks said Android devices that run over-the-air update software from Chinese developer Ragentek do so over an unencrypted channel.
Because the device updates mechanism is unencrypted, attackers in a man-in-the-middle position can remotely execute system commands on vulnerable devices with full root or super user privileges, the researchers said.
Phone models sold in Australia from budget makers BLU, DOOGEE, LEAGOO and XOLO are among those listed as vulnerable by the Carnegie-Mellon computer emergency response team (CERT).
The Ragentek software attempts to hide itself from Android operating system tools, prompting CMU CERT to call it a rootkit, or stealth malware.
Around three million devices are believed to be vulnerable, the Anubis researchers said.
Anubis Networks' researchers were able to register two of the three domain names used by the Ragentek software for OTA update checks. They turned them into "sinkholes" for traffic from the application, and were also able to monitor incoming data for analysis.
This gave the researchers visibility of what the vulnerable devices were doing.
It is unclear if vendors will issue updates for the flaw. CMU CERT advised users with vulnerable devices to only use trusted networks.
The new security scare comes after last week's warning that Android devices running OTA updater code from Chinese developer Adups send extensive amounts of personally sensitive information to servers in Shanghai, without users' knowledge.