Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Backdoor Found in Android Phones Manufactured by Coolpad: Research

Researchers at Palo Alto Networks released details today of a backdoor on millions of Android-based device sold by one of the largest smartphone manufacturers in the world.

Researchers at Palo Alto Networks released details today of a backdoor on millions of Android-based device sold by one of the largest smartphone manufacturers in the world.

According to Palo Alto Networks’ Unit 42, certain Android devices from Coolpad contain a backdoor that exposes users to potentially malicious activity. The researchers have dubbed the backdoor ‘CoolReaper.’

“We expect Android manufacturers to pre-install software onto devices that provide features and keep their applications up to date,” said Ryan Olson, intelligence director of Unit 42, Palo Alto Networks, in a statement. “But the CoolReaper backdoor detailed in this report goes well beyond what users might expect, giving Coolpad complete control over the affected devices, hiding the software from antivirus programs, and leaving users unprotected from malicious attackers.”

Coolpad could not be reached for comment before publication. According to Palo Alto Networks, the backdoor attempted to contact Coolpad multiples times and received no response. The security firm said it also passed the details of their finding over to Google. 

According to the Wall Street Journal, Coolpad acknowledged some of its devices were downloading apps whenever they connected to wireless networks, but that it only happened when users activated an option in the phone’s main settings to enable those downloads. The function was designed to improve user experience by making it more convenient for users who wanted automatic downloads, the company told the paper.

In their report, the researchers describe a backdoor capable of enabling a number of actions, including: downloading, installing and activating any Android application without user consent or notification; notifying users of a fake over-the-air (OTA) update that installs unwanted applications; and uploading information about the device such as its location, app usage and call history.

“One may suspect that the CoolReaper backdoor was created by a malicious [third-party],” the report notes. “However, for the following reasons we believe that the backdoor was created and installed by Coolpad. All CoolReaper APK files we have identified were signed with a certificate that belongs to Coolpad (see Table 3) and the 41 infected stock ROMs are also signed by the same certificate.”

“Some of the stock ROMs that included CoolReaper contained a modified version of Android that was changed specifically to hide CoolReaper from the user and from antivirus programs,” the report continues. “The two domains used as command and control servers for CoolReaper, coolyun.com and 51Coolpad.com, are registered by Coolpad and used by Coolpad for their public cloud services.”

Advertisement. Scroll to continue reading.

After a researcher uncovered a vulnerability in CoolReaper’s backend control system in November, Coolpad acknowledged the control system’s presence when they agreed to patch the issue. The control system is also hosted on coolyun.com, which also hosts the command and control server for CoolReaper, according to Palo Alto Networks.

“Reports of suspicious activity on Coolpad Android devices began appearing on Chinese user forms in October of 2013,” the report explains.

According to the report, reports of suspicious activity on Coolpad Android devices began appearing in Chinese user forums in October 2013. Users reported that advertisements were being pushed as notifications. In addition, new applications were appearing without the user’s knowledge, and over-the-air updates didn’t update the OS as expected.

In light of those reports, Palo Alto Networks researchers began investigating both stock and modified ROM files that form the base of the Coolpad Android installation. In total, the firm acquired 77 ROMs for the Chinese versions of Coolpad Android devices. Sixty-four of them contained the backdoor. All together, researchers confirmed that at least 24 different Coolpad models contain the CoolReaper backdoor, including the Dazen F2 8675 and Dazen F1 8297W models. A full list is contained within the report. 

“We urge the millions of Coolpad users who may be impacted by CoolReaper to inspect their devices for presence of the backdoor and to take measures to protect their data,” Olson said. 

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.