Unknown
Ragentek Android software contains an over-the-air update mechanism that communicates over an unencrypted channel, which can allow a remote attacker to execute arbitrary code with root privileges
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Unknown
(0 users assessed)
Unknown
(0 users assessed)Unknown
Unknown
Unknown
Ragentek Android software contains an over-the-air update mechanism that communicates over an unencrypted channel, which can allow a remote attacker to execute arbitrary code with root privileges
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks. Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit. This binary, which resides as /system/bin/debugs, runs with root privileges and does not communicate over an encrypted channel. The binary has been shown to communicate with three hosts via HTTP: oyag[.]lhzbdvm[.]com oyag[.]prugskh[.]net oyag[.]prugskh[.]com Server responses to requests sent by the debugs binary include functionalities to execute arbitrary commands as root, install applications, or update configurations. Examples of a request sent by the client binary: POST /pagt/agent?data={“name”:“c_regist”,“details”:{…}} HTTP/1. 1 Host: 114.80.68.223 Connection: Close An example response from the server could be: HTTP/1.1 200 OK {“code”: “01”, “name”: “push_commands”, “details”: {“server_id”: “1” , “title”: “Test Command”, “comments”: “Test”, “commands”: “touch /tmp/test”}} This binary is reported to be present in the following devices: BLU Studio G BLU Studio G Plus BLU Studio 6.0 HD BLU Studio X BLU Studio X Plus BLU Studio C HD Infinix Hot X507 Infinix Hot 2 X510 Infinix Zero X506 Infinix Zero 2 X509 DOOGEE Voyager 2 DG310 LEAGOO Lead 5 LEAGOO Lead 6 LEAGOO Lead 3i LEAGOO Lead 2S LEAGOO Alfa 6 IKU Colorful K45i Beeline Pro 2 XOLO Cube 5.0
Add Assessment
No one has assessed this topic. Be the first to add your voice to the community.
CVSS V3 Severity and Metrics
General Information
Products
- alfa 6 firmware -,
- colorful k45i firmware -,
- cube 5.0 firmware -,
- hot 2 x510 firmware -,
- hot x507 firmware -,
- lead 2s firmware -,
- lead 3i firmware -,
- lead 5 firmware -,
- lead 6 firmware -,
- pro 2 firmware -,
- studio 6.0 hd firmware -,
- studio c hd firmware -,
- studio g firmware -,
- studio g plus firmware -,
- studio x firmware -,
- studio x plus firmware -,
- voyager 2 dg310i firmware -,
- zero 2 x509 firmware -,
- zero x506 firmware -
References
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Zero-day Exploit
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
