CVE-2016-6564: Ragentek Android software contains an over-the-air update mechanism that communicates over an unencrypted channel, which can allow a remote attacker to execute arbitrary code with root privileges

First published: Fri Jul 13 2018(Updated: )

Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks. Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit. This binary, which resides as /system/bin/debugs, runs with root privileges and does not communicate over an encrypted channel. The binary has been shown to communicate with three hosts via HTTP: oyag[.]lhzbdvm[.]com oyag[.]prugskh[.]net oyag[.]prugskh[.]com Server responses to requests sent by the debugs binary include functionalities to execute arbitrary commands as root, install applications, or update configurations. Examples of a request sent by the client binary: POST /pagt/agent?data={"name":"c_regist","details":{...}} HTTP/1. 1 Host: 114.80.68.223 Connection: Close An example response from the server could be: HTTP/1.1 200 OK {"code": "01", "name": "push_commands", "details": {"server_id": "1" , "title": "Test Command", "comments": "Test", "commands": "touch /tmp/test"}} This binary is reported to be present in the following devices: BLU Studio G BLU Studio G Plus BLU Studio 6.0 HD BLU Studio X BLU Studio X Plus BLU Studio C HD Infinix Hot X507 Infinix Hot 2 X510 Infinix Zero X506 Infinix Zero 2 X509 DOOGEE Voyager 2 DG310 LEAGOO Lead 5 LEAGOO Lead 6 LEAGOO Lead 3i LEAGOO Lead 2S LEAGOO Alfa 6 IKU Colorful K45i Beeline Pro 2 XOLO Cube 5.0

Credit: cret@cert.org

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/nvd-index
• agent/weakness
• agent/type
• agent/softwarecombine
• collector/mitre-cve
• source/MITRE
• agent/severity
• agent/author
• agent/title
• agent/references
• agent/last-modified-date
• agent/tags
• agent/description
• agent/first-publish-date
• agent/event
• vendor/infinixauthority
• canonical/infinixauthority hot x507 firmware
• canonical/infinixauthority hot x507
• canonical/infinixauthority hot 2 x510 firmware
• canonical/infinixauthority hot 2 x510
• canonical/infinixauthority zero x506 firmware
• canonical/infinixauthority zero x506
• canonical/infinixauthority zero 2 x509 firmware
• canonical/infinixauthority zero 2 x509
• vendor/bluproducts
• canonical/bluproducts studio g firmware
• canonical/bluproducts studio g
• canonical/bluproducts studio g plus firmware
• canonical/bluproducts studio g plus
• canonical/bluproducts studio 6.0 hd firmware
• canonical/bluproducts studio 6.0 hd
• canonical/bluproducts studio x firmware
• canonical/bluproducts studio x
• canonical/bluproducts studio x plus firmware
• canonical/bluproducts studio x plus
• canonical/bluproducts studio c hd firmware
• canonical/bluproducts studio c hd
• vendor/xolo
• canonical/xolo cube 5.0 firmware
• canonical/xolo cube 5.0
• vendor/beeline
• canonical/beeline pro 2 firmware
• canonical/beeline pro 2
• vendor/iku-mobile
• canonical/iku-mobile colorful k45i firmware
• canonical/iku-mobile colorful k45i
• vendor/leagoo
• canonical/leagoo lead 5 firmware
• canonical/leagoo lead 5
• canonical/leagoo lead 6 firmware
• canonical/leagoo lead 6
• canonical/leagoo lead 3i firmware
• canonical/leagoo lead 3i
• canonical/leagoo lead 2s firmware
• canonical/leagoo lead 2s
• canonical/leagoo alfa 6 firmware
• canonical/leagoo alfa 6
• vendor/doogee
• canonical/doogee voyager 2 dg310i firmware
• canonical/doogee voyager 2 dg310i