Researchers at Palo Alto Networks released details today of a backdoor on millions of Android-based device sold by one of the largest smartphone manufacturers in the world.
According to Palo Alto Networks’ Unit 42, certain Android devices from Coolpad contain a backdoor that exposes users to potentially malicious activity. The researchers have dubbed the backdoor ‘CoolReaper.’
“We expect Android manufacturers to pre-install software onto devices that provide features and keep their applications up to date,” said Ryan Olson, intelligence director of Unit 42, Palo Alto Networks, in a statement. “But the CoolReaper backdoor detailed in this report goes well beyond what users might expect, giving Coolpad complete control over the affected devices, hiding the software from antivirus programs, and leaving users unprotected from malicious attackers.”
Coolpad could not be reached for comment before publication. According to Palo Alto Networks, the backdoor attempted to contact Coolpad multiples times and received no response. The security firm said it also passed the details of their finding over to Google.
According to the Wall Street Journal, Coolpad acknowledged some of its devices were downloading apps whenever they connected to wireless networks, but that it only happened when users activated an option in the phone’s main settings to enable those downloads. The function was designed to improve user experience by making it more convenient for users who wanted automatic downloads, the company told the paper.
In their report, the researchers describe a backdoor capable of enabling a number of actions, including: downloading, installing and activating any Android application without user consent or notification; notifying users of a fake over-the-air (OTA) update that installs unwanted applications; and uploading information about the device such as its location, app usage and call history.
“One may suspect that the CoolReaper backdoor was created by a malicious [third-party],” the report notes. “However, for the following reasons we believe that the backdoor was created and installed by Coolpad. All CoolReaper APK files we have identified were signed with a certificate that belongs to Coolpad (see Table 3) and the 41 infected stock ROMs are also signed by the same certificate.”
“Some of the stock ROMs that included CoolReaper contained a modified version of Android that was changed specifically to hide CoolReaper from the user and from antivirus programs,” the report continues. “The two domains used as command and control servers for CoolReaper, coolyun.com and 51Coolpad.com, are registered by Coolpad and used by Coolpad for their public cloud services.”
After a researcher uncovered a vulnerability in CoolReaper’s backend control system in November, Coolpad acknowledged the control system’s presence when they agreed to patch the issue. The control system is also hosted on coolyun.com, which also hosts the command and control server for CoolReaper, according to Palo Alto Networks.
“Reports of suspicious activity on Coolpad Android devices began appearing on Chinese user forms in October of 2013,” the report explains.
According to the report, reports of suspicious activity on Coolpad Android devices began appearing in Chinese user forums in October 2013. Users reported that advertisements were being pushed as notifications. In addition, new applications were appearing without the user’s knowledge, and over-the-air updates didn’t update the OS as expected.
In light of those reports, Palo Alto Networks researchers began investigating both stock and modified ROM files that form the base of the Coolpad Android installation. In total, the firm acquired 77 ROMs for the Chinese versions of Coolpad Android devices. Sixty-four of them contained the backdoor. All together, researchers confirmed that at least 24 different Coolpad models contain the CoolReaper backdoor, including the Dazen F2 8675 and Dazen F1 8297W models. A full list is contained within the report.
“We urge the millions of Coolpad users who may be impacted by CoolReaper to inspect their devices for presence of the backdoor and to take measures to protect their data,” Olson said.