CoolReaper, a Backdoor in million Coolpad Android devices

Pierluigi Paganini December 18, 2014

Palo Alto Networks discovered that the software installed on many of Coolpad high-end Android phones includes a CoolReaper backdoor.

The US security firm Palo Alto Networks have discovered that millions of Android smartphones commercialized by the Chinese smartphone maker Coolpad Group Ltd. may contain a “backdoor”, dubbed CoolReaper, that allows the tracking of the users.

Palo Alto Networks has released yesterday a research paper Wednesday to provide the details on the investigation on the CoolReaper backdoor.

The backdoor does much more, it could be exploited to push unwanted pop-up advertisements and install unauthorized apps onto users’ mobile device. The backdoor CoolReaper allows the attackers to gain complete control of Android device.

coolpad backdoor coolReaper 2

Coolpad customers have reported suspicious activities related to the presence of the backdoor, but complaints were ignored by the company. The impact could be really serious, more than 10 million users worldwide are menaced by the presence of the CoolReaper on the mobile devices.

“Coolpad is the sixth largest manufacturer of smartphones in the world, and the third largest in China. We recently discovered that the software installed on many of Coolpad’s high-end Android phones includes a backdoor which was installed and operated by Coolpad itself. ” states the paper.

The experts reviewed multiple copies of the stock ROMs used by Coolpad smartphone sold in China and discovered that the majority of the ROMs was affected by the CoolReaper backdoor.

The report has listed the features implemented by the CoolReaper backdoor:

  • Download, install, or activate any Android application without user consent or notification
  • Clear user data, uninstall existing applications, or disable system applications
  • Notify users of a fake over-the-air (OTA) update that doesn’t update the device, but installs unwanted applications
  • Send or insert arbitrary SMS or MMS messages into the phone.
  • Dial arbitrary phone numbers
  • Upload information about device, its location, application usage, calling and SMS history to a Coolpad server

The experts explained that CoolReaper is the first malware they have seen that was built and operated by an Android manufacturer.

“The changes Coolpad made to the Android OS to hide the backdoor from users and antivirus programs are unique and should make people think twice about the integrity of their mobile devices. Some mobile carriers install applications that gather usage statistics and other data on how their devices are performing. CoolReaper goes well beyond this type of data collection and acts as a true backdoor into Coolpad devices.”

Coolpad has also modified the Android OS present in several ROMs to hide CoolReaper components from the user and from other applications operating on the mobile devices.

“These modifications make the backdoor much more difficult for antivirus programs to detect.”

It’s not the first time that Chinese smartphone manufacturers have been accused for the presence of backdoors in their products, many other popular devices like Xiaomi handsets and Star N9500 smartphones were compromised by a malicious code.

Pierluigi Paganini

(Security Affairs –  CoolReaper, Coolpad)



you might also like

leave a comment