Published: 13/07/2018 Updated: 09/10/2019

CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6

CVSS v3 Base Score: 8.1 | Impact Score: 5.9 | Exploitability Score: 2.2

VMScore: 828

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks. Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit. This binary, which resides as /system/bin/debugs, runs with root privileges and does not communicate over an encrypted channel. The binary has been shown to communicate with three hosts via HTTP: oyag[.]lhzbdvm[.]com oyag[.]prugskh[.]net oyag[.]prugskh[.]com Server responses to requests sent by the debugs binary include functionalities to execute arbitrary commands as root, install applications, or update configurations. Examples of a request sent by the client binary: POST /pagt/agent?data={"name":"c_regist","details":{...}} HTTP/1. 1 Host: 114.80.68.223 Connection: Close An example response from the server could be: HTTP/1.1 200 OK {"code": "01", "name": "push_commands", "details": {"server_id": "1" , "title": "Test Command", "comments": "Test", "commands": "touch /tmp/test"}} This binary is reported to be present in the following devices: BLU Studio G BLU Studio G Plus BLU Studio 6.0 HD BLU Studio X BLU Studio X Plus BLU Studio C HD Infinix Hot X507 Infinix Hot 2 X510 Infinix Zero X506 Infinix Zero 2 X509 DOOGEE Voyager 2 DG310 LEAGOO Lead 5 LEAGOO Lead 6 LEAGOO Lead 3i LEAGOO Lead 2S LEAGOO Alfa 6 IKU Colorful K45i Beeline Pro 2 XOLO Cube 5.0

Vulnerable Product	Search on Vulmon	Subscribe to Product
infinixauthority hot_x507_firmware -
infinixauthority hot_2_x510_firmware -
infinixauthority zero_x506_firmware -
infinixauthority zero_2_x509_firmware -
bluproducts studio_g_firmware -
bluproducts studio_g_plus_firmware -
bluproducts studio_6.0_hd_firmware -
bluproducts studio_x_firmware -
bluproducts studio_x_plus_firmware -
bluproducts studio_c_hd_firmware -
xolo cube_5.0_firmware -
beeline pro_2_firmware -
iku-mobile colorful_k45i_firmware -
leagoo lead_5_firmware -
leagoo lead_6_firmware -
leagoo lead_3i_firmware -
leagoo lead_2s_firmware -
leagoo alfa_6_firmware -
doogee voyager_2_dg310i_firmware -

More Androids carry phone-home firmware

The Register • Richard Chirgwin • 20 Nov 2016

Backdoor slipped into phones sold outside China doesn't even hide itself successfully

Got a cheap-and-cheerful Android phone from BLU, Infinix, Doogee, Leagoo, IKU, Beeline or Xolo? It might be harbouring some badware in the firmware. The issue affects phones that use an over-the-air update mechanism from Chinese company according to BitSight researcher Dan Dahlberg and Anubis Networks' João Gouveia and Tiago Pereira. Since a firmware update runs at root, the phones in question are vulnerable to pretty much anything a malicious server might install. Which means a keylogger, bugg...

CVE-2016-6564

Vulnerability Summary

Vulnerability Trend

Recent Articles

References

Vulmon Search

About

Products

Connect