Hidden backdoor in up to 10m Android phones

News by Tim Ring

Chinese manufacturer Coolpad installs hidden backdoor in Android phones allowing permanent control of the device.

Android users are being warned of a hidden backdoor installed on up to 10 million phones produced by Chinese manufacturer Coolpad which could lead to rogue apps being installed, secret user tracking and even hijack of the device.

The backdoor was discovered by research firm Palo Alto Networks which named it ‘CoolReaper'.

In a 17 December report, the company said that the tool has so far been found on devices in China and Taiwan, but could spread to users in the West through normal sales and because it can be remotely installed. It warns: “This backdoor presents a threat to Android users all over the world.”

The researchers believe the backdoor comes from Coolpad itself, the world's sixth largest mobile phone maker. But it goes far beyond what device manufacturers usually install – and has been deliberately hidden.

It says: “CoolReaper has functionality well beyond what a user would expect. The backdoor gives Coolpad complete control over the devices that contain it.

“Coolpad customers in China have reported installation of unwanted applications and push-notification advertisements coming from the backdoor. Complaints about this behaviour have been ignored by Coolpad or deleted.”

Palo Alto adds: “Coolpad has modified the Android OS contained in many of their ROMs. The modifications are specifically tailored to hide CoolReaper components from the user and from other applications operating on the device.

“These modifications make the backdoor much more difficult for anti-virus programs to detect.”

Palo Alto tested 77 Coolpad ROMs and found the backdoor on 64 of them, across 24 different phone models.

Based on this, it concludes: “Considering that CoolReaper appears to have been embedded into 24 models in the last 12 months, and the Coolpad sales targets published by IDC, it's possible that more than 10 million users have been affected.”

According to Palo Alto, Coolpad claims the tool is “only used for internal testing”, but all told it can:

• Download, install or activate any Android app without user consent.

• Uninstall existing apps or disable system applications.

• Notify users of a fake update that doesn't update the device, but does install unwanted apps.

• Send or insert arbitrary SMS or MMS messages into the phone.

• Upload information about the device, its location, app usage, calling and SMS history to a Coolpad server.

The report also points to a previous serious vulnerability in the backdoor that Coolpad has patched. But Palo Alto says: “The fact that the CoolReaper management interface could be hijacked by malicious attackers through a vulnerability helps highlight the danger of pre-installing this type of backdoor program.

“While this vulnerability may be already fixed, others may exist that could allow a malicious actor to take control of Coolpad devices.”

Independent cyber-experts analysing Palo Alto's findings share its strong concerns about CoolReaper, and Coolpad's own malicious intent.

Chris Oakley, principal security consultant at Nettitude, told SCMagazineUK.com via email: “The development of CoolReaper was obviously well-planned and well-executed. Large efforts were made to conceal its existence and the functionality is extremely feature-rich and threatening.

“There is a lot of evidence within the research paper to show malicious intent; it is inconceivable that this was designed as a way to assist with customer service or any other such excuse.”

Oakley added: “Affected devices are thoroughly compromised and the manufacturer even has the ability to remotely update the backdoor with new functionality.

“Users affected by CoolReaper have unknowingly lost all privacy and security defences ordinarily expected from an Android device. With modern Android devices able to perform everything from GPS mapping to online banking, a user who carries an affected device is left vulnerable to the whims of the backdoor operators.

“The risk is compounded due to the persistent nature of the backdoor; it would be very difficult to remove this implant with certainty. Devices infected with this backdoor give the operator ‘hands on keyboard' access to the device.”

Michael Sutton, VP of security research at Zscaler, agreed with Oakley's view, telling SCMagazineUK.com: “CoolReaper is nothing short of a corporate botnet. With capabilities to remotely access and control mobile devices, a full command and control infrastructure and efforts to conceal its presence on a device, CoolReaper differs from other botnets only in the fact that it's managed by a public company.

“CoolReaper goes well beyond the standard bloatware that Android and PC manufactures tend to pre-install on devices in order to generate revenue from partnerships. Its infrastructure was designed to ensure permanent access to and control over Coolpad devices running the infected ROMs."

Palo Alto advises companies who have Coolpad phones to check for the following files, which may indicate the device contains the backdoor:

• /system/app/CP_DMP.apk

• /system/app/CP_DMP.odex

• /system/app/GoogleGmsFramework.apk

• /system/app/GoogleGmsFramework.apk

• /system/lib/libgmsframework.so

But the company says: “If the phone is rooted, you can simply delete all of these files using your root privileges. However, Coolpad may still be able to install new malware in the future using an OTA update.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews