Posted on

CVE-2016-6564 (alfa_6_firmware, colorful_k45i_firmware, cube_5.0_firmware, hot_2_x510_firmware, hot_x507_firmware, lead_2s_firmware, lead_3i_firmware, lead_5_firmware, lead_6_firmware, pro_2_firmware, studio_6.0_hd_firmware, studio_c_hd_firmware, studio_g_firmware, studio_g_plus_firmware, studio_x_firmware, studio_x_plus_firmware, voyager_2_dg310i_firmware, zero_2_x509_firmware, zero_x506_firmware)

Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks. Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit. This binary, which resides as /system/bin/debugs, runs with root privileges and does not communicate over an encrypted channel. The binary has been shown to communicate with three hosts via HTTP: oyag[.]lhzbdvm[.]com oyag[.]prugskh[.]net oyag[.]prugskh[.]com Server responses to requests sent by the debugs binary include functionalities to execute arbitrary commands as root, install applications, or update configurations. Examples of a request sent by the client binary: POST /pagt/agent?data={«name»:»c_regist»,»details»:{…}} HTTP/1. 1 Host: Connection: Close An example response from the server could be: HTTP/1.1 200 OK {«code»: «01», «name»: «push_commands», «details»: {«server_id»: «1» , «title»: «Test Command», «comments»: «Test», «commands»: «touch /tmp/test»}} This binary is reported to be present in the following devices: BLU Studio G BLU Studio G Plus BLU Studio 6.0 HD BLU Studio X BLU Studio X Plus BLU Studio C HD Infinix Hot X507 Infinix Hot 2 X510 Infinix Zero X506 Infinix Zero 2 X509 DOOGEE Voyager 2 DG310 LEAGOO Lead 5 LEAGOO Lead 6 LEAGOO Lead 3i LEAGOO Lead 2S LEAGOO Alfa 6 IKU Colorful K45i Beeline Pro 2 XOLO Cube 5.0