CVE-2016-6564

Name of the Vulnerable Software and Affected Versions Android devices with code from Ragentek (affected versions not specified) BLU Studio G BLU Studio G Plus BLU Studio 6.0 HD BLU Studio X BLU Studio X Plus BLU Studio C HD Infinix Hot X507 Infinix Hot 2 X510 Infinix Zero X506 Infinix Zero 2 X509 DOOGEE Voyager 2 DG310 LEAGOO Lead 5 LEAGOO Lead 6 LEAGOO Lead 3i LEAGOO Lead 2S LEAGOO Alfa 6 IKU Colorful K45i Beeline Pro 2 XOLO Cube 5.0

Description A privileged binary in Android devices with code from Ragentek performs over-the-air update checks and hides its execution, resembling a rootkit. The binary, located at /system/bin/debugs, runs with root privileges and communicates over an unencrypted channel with three hosts via HTTP. Server responses can execute arbitrary commands as root, install applications, or update configurations. For example, the binary sends requests like "POST /pagt/agent?data={name:c regist,details: {...}}" to the server, and the server responds with commands, such as "touch /tmp/test".

Recommendations For each of the affected devices, consider disabling the /system/bin/debugs binary as a temporary workaround to prevent potential exploitation. Restrict access to the debugs binary to minimize the risk of exploitation. Avoid using the binary until a patch or fix is available from the device manufacturer. At the moment, there is no information about a newer version that contains a fix for this vulnerability.