CoolReaper potentially affects 24 Android phone models and over 10 million users
Coolpad’s modification of Android OS makes it harder for AV programmes to detect
PALO Alto Networks has revealed details of a backdoor contained in millions of Android-based mobile devices sold by Coolpad, one of the world’s largest smartphone manufacturers based in China.
The backdoor, named CoolReaper, exposes users to potential malicious activity and appears to have been installed and maintained by Coolpad despite objections from customers, Palo Alto Networks said in a statement.
READ ALSO: iOS and Android targeted by Man-in-the-Middle attacks
It is common for device manufacturers to install software on top of Google’s Android mobile operating system to provide additional functionality and customisation to, and some mobile carriers install applications that gather data on device performance, the company noted.
Following detailed analysis by Unit 42, the Palo Alto Networks threat intelligence team, it was found that CoolReaper appears to operate well beyond the collection of basic usage data, acting as a true backdoor into Coolpad devices.
Coolpad also appears to have modified a version of the Android OS to make it much more difficult for antivirus programs to detect the backdoor.
CoolReaper, which was discovered by Palo Alto Networks researcher Claud Xiao, has been identified on 24 phone models sold by Coolpad, meaning a potential impact to over 10 million users based on publicly-obtainable Coolpad sales information.
“We expect Android manufacturers to pre-install software onto devices that provide features and keep their applications up to date,” said Unit 42 intelligence director Ryan Olson.
“But the CoolReaper backdoor detailed in this report goes well beyond what users might expect, giving Coolpad complete control over the affected devices, hiding the software from antivirus programs, and leaving users unprotected from malicious attackers.
“We urge the millions of Coolpad users who may be impacted by CoolReaper to inspect their devices for presence of the backdoor and to take measures to protect their data,” he added.
CoolReaper background, effect
The full findings related to CoolReaper were published recently in CoolReaper: The Coolpad Backdoor, a new report from Unit 42 written by Xiao and Olson.
In the report, Palo Alto Networks has also published a list of files to check for in Coolpad devices that may indicate the presence of the CoolReaper backdoor.
As observed by researchers, CoolReaper can perform each of the following tasks, any of which might put sensitive user or corporate data at risk.
In addition, malicious attackers could exploit a vulnerability found in CoolReaper’s back-end control system.
Download, install, or activate any Android application without user consent or notification;
Clear user data, uninstall existing applications, or disable system applications;
Notify users of a fake over-the-air (OTA) update that doesn’t update the device, but installs unwanted applications;
Send or insert arbitrary SMS or MMS messages into the phone;
Dial arbitrary phone numbers; and
Upload information about the device, its location, application usage, calling and SMS history to a Coolpad server.
Coolpad acknowledgment (or lack thereof)
Unit 42 began observing what came to be known as CoolReaper following numerous complaints from Coolpad customers in China posted to Internet message boards.
In November, a researcher working with Wooyun.org identified a vulnerability in the back-end control system for CoolReaper, which made clear how Coolpad itself controls the backdoor in the software. In addition, a Chinese news site, Aqniu.com, reported some details of the backdoor’s existence and its abuses in an article published November 20, 2014.
As of Dec 17, 2014, Coolpad did not respond to multiple requests for assistance by Palo Alto Networks. Google’s Android Security Team also has been provided with the data contained in the report.
To download the CoolReaper: The Coolpad Backdoor report, click here.
Android 'solar charging' app actually steals contact data: Symantec
Android ‘Master Key’ vulnerability affects 99% of devices
Efforts to subvert digital signature validation on Android, says McAfee
First-ever case of mobile trojan spreading via ‘alien’ botnets
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.