Company plans to expand to US and European markets

Dec 18, 2014 14:47 GMT  ·  By

High-end smartphones produced by Chinese manufacturer Coolpad come with a backdoor component that is installed and operated by the company itself.

Coolpad is an important player on the smartphone market, being the third largest manufacturer in China, behind Lenovo and Xiaomi, and the sixth in the world. Its activity is concentrated mostly on the Asian market, but the company plans to extend to other parts of the globe, Europe and the US being among them.

Company extracts call and text history from the devices

Following reports of suspicious activity on Coolpad devices on message boards in China, security researchers from Palo Alto Network’s Unit 42 analyzed the ROM images used by the company for installing Android on its devices. They found that most of the files contained a backdoor, which they called CoolReaper.

“We expect device manufacturers to install software on top of Android that provides additional functionality and customization, but CoolReaper does not fall into that category. Some mobile carriers install applications that gather usage statistics and other data on how their devices are performing. CoolReaper goes well beyond this type of data collection and acts as a true backdoor into Coolpad devices,” the report from Palo Alto Networks says.

The backdoor offers its handler unrestricted access to the device, from downloading, installing or activating Android apps, removing user data, uninstalling software and disabling system apps, to dialing phone numbers.

More than this, private information such as calling and text message history is uploaded to a company server. Sending and inserting SMS and MMS into the phone is also on the list of capabilities. All this takes place without agreement from the user.

Almost all Coolpad ROMs contain CoolReaper backdoor

The researchers say that the manufacturer customized the Android OS so that the malicious file remained hidden both from the user and from other apps running on the device, including antivirus solutions.

Out of 77 ROMs analyzed by the security experts, 64 contained CoolReaper, at least 24 phone models from Coolpad being affected. At the moment, the impact seems to be contained to China and Taiwan.

The trigger for starting the investigation consisted in various users reporting unusual behavior of their phones. This ranged from installation of unwanted applications and receiving push notification advertisements to getting OTA (over-the-air) update alerts that did not end with installing a new version of the operating system.

Coolpad also has lower-priced devices, the most popular being those in the Dazen/Halo series (F1, F1 Plus, 1S, F2 and Note). A number of eight models have been found to run a backdoor-ready version of the Android OS.

CoolReaper backdoor (5 Images)

List of Coolpad phones infected with CoolReaper
Part of the configuration of the command and control serverBackdoor message after fake OTA update
+2more