‘Backdoor’ may be on 10m Coolpad Android smartphones

Researchers have found over 60 Android ROMs for Coolpad smartphones have a backdoor that gives the Chinese handset maker full control over devices, including the ability to send fake over the air update messages.

Security researchers at US security vendor Palo Alto Networks have found 64 Android Android ROMs (customised firmware) designed for 24 Coolpad smartphones contain a backdoor that compromises the security of as many as 10 million users.

Coolpad is one of the rising smartphones brands in China and with a marketshare of 11.5 percent, it’s second only to Xiaomi and Lenovo. It’s devices are sold in Europe, the Asia Pacific and the US, but not in significant numbers.

Dubbed “CoolReaper” by Palo Alto researchers Claud Xiao and Ryan Olson, the backdoor was created by Coolpad and is a remote management tool that’s a little more aggressive than usual. For example, CoolReaper provides full access to the device, allowing Coolpad to do things like notify owners of fake over the air updates, and install additional unwanted software.

The backdoor can also dial phone numbers, and upload information about the device, its location, application usage, calling and SMS history.

"We expect Android manufacturers to pre-install software onto devices that provide features and keep their applications up to date. But the CoolReaper backdoor goes well beyond what users might expect, giving Coolpad complete control over the affected devices, hiding the software from antivirus programs, and leaving users unprotected from malicious attackers,” Olson said in a statement.

The researchers note in the report that CoolReaper’s functionality is mostly hidden to users. “Approximately half of CoolReaper’s malicious and potentially unwanted behaviors have no user interface and provide no user notifications,” the researchers said in the report.

Details about Coolpad’s remote device management software came to light after Coolpad customers in October 2013 began complaining of devices being pushed ads, self-updating, and finding new games that had been installed without their permission.

Then, in November this year, a security researcher discovered a vulnerability in CoolReaper’s backend control system, which allowed further analysis of its functionality.

Xiao and Olsen said the tool appears to “specifically target Chinese users”. The researchers also bought a Coolpad Flor phone in the US on November 24 and found it did not contain the backdoor.

On the other hand, the backdoor could be installed on devices outside of Chinese for numerous reasons, including that Coolpad devices are sold directly from China and Hong Kong via eBay and other websites. Users outside of China, for example in Taiwan, could also install the backdoored ROMs.

CSO.com.au has asked Coolpad’s Chinese headquarters for a response and will update the story if it receives one.

Coolpad, which is the smartphone unit of Chinese company Yulong, may find itself in hot water with privacy regulators in Hong Kong and Taiwan, which raised questions over seemingly less- intrusive software installed on devices by Xiaomi.