Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks. Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit. This binary, which resides as /system/bin/debugs, runs with root privileges and does not communicate over an encrypted channel. The binary has been shown to communicate with three hosts via HTTP: oyag[.]lhzbdvm[.]com oyag[.]prugskh[.]net oyag[.]prugskh[.]com Server responses to requests sent by the debugs binary include functionalities to execute arbitrary commands as root, install applications, or update configurations. Examples of a request sent by the client binary: POST /pagt/agent?data={"name":"c_regist","details":{...}} HTTP/1. 1 Host: 114.80.68.223 Connection: Close An example response from the server could be: HTTP/1.1 200 OK {"code": "01", "name": "push_commands", "details": {"server_id": "1" , "title": "Test Command", "comments": "Test", "commands": "touch /tmp/test"}} This binary is reported to be present in the following devices: BLU Studio G BLU Studio G Plus BLU Studio 6.0 HD BLU Studio X BLU Studio X Plus BLU Studio C HD Infinix Hot X507 Infinix Hot 2 X510 Infinix Zero X506 Infinix Zero 2 X509 DOOGEE Voyager 2 DG310 LEAGOO Lead 5 LEAGOO Lead 6 LEAGOO Lead 3i LEAGOO Lead 2S LEAGOO Alfa 6 IKU Colorful K45i Beeline Pro 2 XOLO Cube 5.0
CVSS 2.0
Severity: HIGH
Problem Type: CWE-494,CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| leagoo | lead_2s_firmware | - |
| bluproducts | studio_g_plus_firmware | - |
| bluproducts | studio_6.0_hd_firmware | - |
| leagoo | alfa_6_firmware | - |
| leagoo | lead_6_firmware | - |
| infinixauthority | hot_x507_firmware | - |
| infinixauthority | zero_2_x509_firmware | - |
| bluproducts | studio_c_hd_firmware | - |
| bluproducts | studio_x_firmware | - |
| infinixauthority | zero_x506_firmware | - |
| iku-mobile | colorful_k45i_firmware | - |
| bluproducts | studio_x_plus_firmware | - |
| bluproducts | studio_g_firmware | - |
| leagoo | lead_5_firmware | - |
| leagoo | lead_3i_firmware | - |
| xolo | cube_5.0_firmware | - |
| beeline | pro_2_firmware | - |
| doogee | voyager_2_dg310i_firmware | - |
| infinixauthority | hot_2_x510_firmware | - |
The Doogee Mix Android device with a build fingerprint of DOOGEE/MIX/MIX:7.0/NRD90M/1495809471:user/release-keys contains a pre-installed app with a package name of com.mediatek.factorymode app (versionCode=1, versionName=1) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 3.3 | LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N | 1.8 | 1.4 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-610,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| doogee | mix_firmware | - |
The Doogee BL5000 Android device with a build fingerprint of DOOGEE/BL5000/BL5000:7.0/NRD90M/1497072355:user/release-keys contains a pre-installed app with a package name of com.mediatek.factorymode app (versionCode=1, versionName=1) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 3.3 | LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N | 1.8 | 1.4 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-610,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| doogee | bl5000_firmware | - |
An OS command injection vulnerability in the com.sprd.engineermode component in Doogee Note59, Note59 Pro, and Note59 Pro+ allows a local attacker to execute arbitrary code and escalate privileges via the EngineerMode ADB shell, due to incomplete patching of CVE-2025-31710
Products Affected
| Vendor | Product | Version |
|---|---|---|
| doogee | note59_firmware | - |
| doogee | note59_pro+_firmware | - |
| doogee | note59_pro_firmware | - |