Although many outside of Asia will not have heard of it, Chinese company Coolpad now the third-biggest player in China’s smartphone market, surpassing both international and domestic tech giants such as Apple, Samsung and Huawei. In 2013 Coolpad sold 37.2 million phones worldwide, and is expected to sell 60 million in 2014.
A new report by security firm Palo Alto Networks (PAN) has found that ‘at least 24’ of Coolpad’s phone models contain a major security flaw called ‘CoolReaper’. This backdoor may already affect up to 10 million users, and allows hackers (which likely include Coolpad itself) to perform a wide range of malicious actions, including to ability to:
- Download, install and activate Android application (apk files) without the user’s consent or notification
- Connect to unauthorised servers
- Clear user data, uninstall existing applications, or disable system applications
- Send fake over-the-air (OTA) software updates in order to install unwanted applications
- Send or insert fake SMS or MMS messages into the phone
- Dial unauthorised phone numbers
- Upload the device information, its location, application usage information, calling and SMS history to a Coolpad server
‘The operator can simply uninstall or disable all security applications in user devices, install additional malware, steal information and inject content into the users device in multiple ways.’
The PAN report concludes that,
- ‘The CoolReaper backdoor was signed using Coolpad digital certifiates, built into Coolpad stock ROMs and uses Coolpad servers for command and control.
- Coolpad acknowledges the existence of a phone management interface, which contains the same functionality as the CoolReaper backdoor. This interface is on an Internet-facing server and recently contained a vulnerability that allowed unauthorized access.
- Stock Coolpad ROMs contain modifiations to help hide CoolReaper from users and antivirus programs.
- Despite multiple user reports and complaints about unwanted applications and advertisements, Coolpad has not addressed this issue with their customers.’
‘CoolReaper is the first malware we have seen that was built and operated by an Android manufacturer. The changes Coolpad made to the Android OS to hide the backdoor from users and antivirus programs are unique and should make people think twice about the integrity of their mobile devices.’
It should be noted that the PAN team, who are based in the US, could only obtain a 3 Coolpad smartphone that were for sale in the US, and this did not have the backdoor installed. It therefore concludes that,
‘The known impact of CoolReaper thus far is limited to China and Taiwan, but Coolpad’s position in the market and global expansion plans mean this backdoor presents a threat to Android users all over the world.’