Coolpad smartphones sold in China and Taiwan have been found to include a factory-installed backdoor software application that can be used to download unwanted software or perform a wide range of tasks without permission from users.
The built-in security vulnerability was revealed Dec. 17 by the Unit 42 threat research team at Palo Alto Networks in a post on the company's security vulnerability blog. Unit 42 has named the backdoor "CoolReaper."
"We recently discovered that the software installed on many of Coolpad's high-end Android phones includes a backdoor which was installed and operated by Coolpad itself," the post states. "After reviewing Coolpad complaints on message boards about suspicious activities on Coolpad devices, we downloaded multiple copies of the stock ROMs used by Coolpad phones sold in China. We found the majority of the ROMs contained the CoolReaper backdoor."
The CoolReaper backdoor can download, install or activate any Android application without user consent or notification, and can clear user data, uninstall existing applications and disable system applications, according to the post. It can also notify users of fake over-the-air (OTA) updates that don't deliver updates but instead install unwanted applications, the post added. In addition, the backdoor can send or insert arbitrary SMS or MMS messages into the phone, dial arbitrary phone numbers and upload information about device, its location, application usage, calling and SMS history to a Coolpad server, according to Unit 42.
"We expect device manufacturers to install software on top of Android that provides additional functionality and customization, but CoolReaper does not fall into that category," the post continued. "Some mobile carriers install applications that gather usage statistics and other data on how their devices are performing. CoolReaper goes well beyond this type of data collection and acts as a true backdoor into Coolpad devices."
The resulting problems have been reported by Coolpad customers in China, the post explained. "Complaints about this behavior have been ignored by Coolpad or deleted."
Coolpad is the sixth largest smartphone manufacturer in the world and is the third largest in China, according to Unit 42.
"CoolReaper is the first malware we have seen that was built and operated by an Android manufacturer," according to the post. "The changes Coolpad made to the Android OS to hide the backdoor from users and antivirus programs are unique and should make people think twice about the integrity of their mobile devices."
Ryan Olson, the intelligence director at Unit 42, told eWEEK in a Dec. 18 interview that evidence of the backdoor was found by another Unit 42 researcher while he was scanning Chinese user forums and spotted many reports of users who said that their phones were displaying strange behaviors.
"He investigated, and that's really what kicked it off for us," said Olson. Coolpad only sells one smartphone in the United States, the Coolpad Flo, but that model does not include the backdoor vulnerability that affects the company's phones that are sold in China and Taiwan, he said.
"We've never seen this before" where a company would install an application like this before selling it to consumers, said Olson. "The code even includes statements such as 'we are opening the backdoor.'"
Olson said he's not sure why the code was included, but added that the manufacturer could have rationalized it by thinking it could include a system that would display ads or download a video game for a company in exchange for some revenue. "But when they were building that system, they clearly built a lot of other capabilities into it as well," he said. "The capability is certainly there to pretty much install anything. They may have seen it as for good, but any time you open a backdoor it is risky."
Buyers of any phones should know ahead of time of potential issues like this one, said Olson. "This may only include phones in China and Taiwan, but they should at least be aware of it," he said.
The backdoor is "contained in millions of Android devices" sold by Coolpad and is "difficult for Android antivirus programs to identify and remove this backdoor," Unit 42 stated in a related post.