CVE-2016-6564

Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks. Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit. This binary, which resides as /system/bin/debugs, runs with root privileges and does not communicate over an encrypted channel. The binary has been shown to communicate with three hosts via HTTP: oyag[.]lhzbdvm[.]com oyag[.]prugskh[.]net oyag[.]prugskh[.]com Server responses to requests sent by the debugs binary include functionalities to execute arbitrary commands as root, install applications, or update configurations. Examples of a request sent by the client binary: POST /pagt/agent?data={"name":"c_regist","details":{...}} HTTP/1. 1 Host: 114.80.68.223 Connection: Close An example response from the server could be: HTTP/1.1 200 OK {"code": "01", "name": "push_commands", "details": {"server_id": "1" , "title": "Test Command", "comments": "Test", "commands": "touch /tmp/test"}} This binary is reported to be present in the following devices: BLU Studio G BLU Studio G Plus BLU Studio 6.0 HD BLU Studio X BLU Studio X Plus BLU Studio C HD Infinix Hot X507 Infinix Hot 2 X510 Infinix Zero X506 Infinix Zero 2 X509 DOOGEE Voyager 2 DG310 LEAGOO Lead 5 LEAGOO Lead 6 LEAGOO Lead 3i LEAGOO Lead 2S LEAGOO Alfa 6 IKU Colorful K45i Beeline Pro 2 XOLO Cube 5.0

Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks. Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit. This binary, which resides as /system/bin/debugs, runs with root privileges and does not communicate over an encrypted channel. The binary has been shown to communicate with three hosts via HTTP: oyag[.]lhzbdvm[.]com oyag[.]prugskh[.]net oyag[.]prugskh[.]com Server responses to requests sent by the debugs binary include functionalities to execute arbitrary commands as root, install applications, or update configurations. Examples of a request sent by the client binary: POST /pagt/agent?data={"name":"c_regist","details":{...}} HTTP/1. 1 Host: 114.80.68.223 Connection: Close An example response from the server could be: HTTP/1.1 200 OK {"code": "01", "name": "push_commands", "details": {"server_id": "1" , "title": "Test Command", "comments": "Test", "commands": "touch /tmp/test"}} This binary is reported to be present in the following devices: BLU Studio G BLU Studio G Plus BLU Studio 6.0 HD BLU Studio X BLU Studio X Plus BLU Studio C HD Infinix Hot X507 Infinix Hot 2 X510 Infinix Zero X506 Infinix Zero 2 X509 DOOGEE Voyager 2 DG310 LEAGOO Lead 5 LEAGOO Lead 6 LEAGOO Lead 3i LEAGOO Lead 2S LEAGOO Alfa 6 IKU Colorful K45i Beeline Pro 2 XOLO Cube 5.0

Los dispositivos Android con código de Ragentek contienen un binario privilegiado que realiza comprobaciones de actualizaciones OTA (over-the-air). Además, hay múltiples técnicas en uso para ocultar la ejecución de este binario. El comportamiento podría describirse como rootkit. Este binario, que reside como /system/bin/debugs, se ejecuta con privilegios root y no se comunica mediante un canal cifrado. Se ha mostrado que el binario se comunica con tres hosts mediante HTTP: oyag[.]lhzbdvm[.]com, oyag[.]prugskh[.]net y oyag[.]prugskh[.]com. Las respuestas del servidor a las peticiones enviadas por el binario debugs incluyen funcionalidades para ejecutar comandos arbitrarios como root, instalar aplicaciones o actualizar configuraciones. Ejemplos de una petición enviada por el binario del cliente: POST /pagt/agent?data={"name":"c_regist","details":{...}} HTTP/1. 1 Host: 114.80.68.223 Connection: Close Un ejemplo de respuesta del servidor podría ser: HTTP/1.1 200 OK {"code": "01", "name": "push_commands", "details": {"server_id": "1" , "title": "Test Command", "comments": "Test", "commands": "touch /tmp/test"}} Se ha informado que este binario está presente en los siguientes dispositivos: BLU Studio G, BLU Studio G Plus, BLU Studio 6.0 HD, BLU Studio X, BLU Studio X Plus, BLU Studio C HD, Infinix Hot X507, Infinix Hot 2 X510, Infinix Zero X506, Infinix Zero 2 X509, DOOGEE Voyager 2 DG310, LEAGOO Lead 5, LEAGOO Lead 6, LEAGOO Lead 3i, LEAGOO Lead 2S, LEAGOO Alfa 6, IKU Colorful K45i, Beeline Pro 2 y XOLO Cube 5.0.