Software code from Chinese mobile firm Ragentek Group, found in certain Android devices, contains a hidden binary that acts like a rootkit, potentially allowing remote unauthenticated attackers to perform man-in-the-middle attacks and execute arbitrary commands, the CERT division of Carnegie Mellon University's Software Engineering Institute warned on Thursday.
The binary, which resides as /system/bin/debugs, performs automatic over-the-air update checks, running with root privileges, without communicating over an encrypted channel. Moreover, “there are multiple techniques used to hide the execution of this binary,” a CERT vulnerability advisory has reported.
The binary communicates with three hosts via HTTP, and server responses to the code's request include arbitrary command execution, application installations and update configurations, stated the advisory. The vulnerability, designated CVE-2016-6564, has been found in devices manufactured by BLU Products, Infinix Mobility, Ragentek, Beeline, Doogee, IKU Mobile, Leagoo and Xolo – and has been confirmed as exploitable in at least the first three of these OEMs.
BLU Products has an update that fixes the problem, the advisory added. Dan Dahlberg, research scientist at BitSight Technologies, and Tiago Pereira, threat intelligence researcher at AnubisNetworks, are credited with reporting the vulnerability.