Software Engineering Institute

CWE-494: Download of Code Without Integrity Check - CVE-2016-6564

Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks.
Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit.

This binary, which resides as /system/bin/debugs, runs with root privileges and does not communicate over an encrypted channel.
The binary has been shown to communicate with three hosts via HTTP:

• oyag[.]lhzbdvm[.]com
• oyag[.]prugskh[.]net
• oyag[.]prugskh[.]com

POST /pagt/agent?data={"name":"c_regist","details":{...}} HTTP/1. 1
Host: 114.80.68.223
Connection: Close

HTTP/1.1 200 OK
{"code": "01", "name": "push_commands", "details": {"server_id": "1" ,
"title": "Test Command", "comments": "Test", "commands": "touch /tmp/test"}}

• BLU Studio G
• BLU Studio G Plus
• BLU Studio 6.0 HD
• BLU Studio X
• BLU Studio X Plus
• BLU Studio C HD
• Infinix Hot X507
• Infinix Hot 2 X510
• Infinix Zero X506
• Infinix Zero 2 X509
• DOOGEE Voyager 2 DG310
• LEAGOO Lead 5
• LEAGOO Lead 6
• LEAGOO Lead 3i
• LEAGOO Lead 2S
• LEAGOO Alfa 6
• IKU Colorful K45i
• Beeline Pro 2
• XOLO Cube 5.0

An remote, unauthenticated attacker in a position to perform man-in-the-middle attacks can execute arbitrary commands as root.

Apply an update
The reporter indicates that BLU has provided an update, which is intended to address the vulnerability, Please see the vendor status page for more details.

For other devices, please check with your device vendor for updates. If you are unable to apply an update, see the following workarounds:

Avoid use of untrusted networks

Use your device on trusted networks only, and avoid using untrusted networks such as open or public wifi.