Backdoor in Android Phones

Monday, December 22, 2014 @ 04:12 PM gHale

There is a backdoor on millions of Android-based device sold by one of the largest smartphone manufacturers in the world, researchers said.

Android devices from Coolpad contain a backdoor that exposes users to potentially malicious activity, said researches at Palo Alto Networks’ Unit 42. The researchers call the backdoor ‘CoolReaper.’

RELATED STORIES
Android ASLR Vulnerability Fixed
Smartphones Lose in Hacking Competition
Android Browser UXSS Vulnerability
Android Malware Tough to Remove

“We expect Android manufacturers to pre-install software onto devices that provide features and keep their applications up to date,” said Ryan Olson, intelligence director of Unit 42. “But the CoolReaper backdoor detailed in this report goes well beyond what users might expect, giving Coolpad complete control over the affected devices, hiding the software from antivirus programs, and leaving users unprotected from malicious attackers.”

The backdoor attempted to contact Coolpad multiples times and received no response, said Palo Alto Networks researchers. The security firm said it also passed the details of their finding over to Google.

Coolpad acknowledged some of its devices were downloading apps whenever they connected to wireless networks, but that it only happened when users activated an option in the phone’s main settings to enable those downloads, according to a report in the Wall Street Journal. The intent for the function was to improve the user experience by making it more convenient for users who wanted automatic downloads.

The researchers describe a backdoor capable of enabling a number of actions, including: Downloading, installing and activating any Android application without user consent or notification; notifying users of a fake over-the-air (OTA) update that installs unwanted applications; and uploading information about the device such as its location, app usage and call history.

“One may suspect that the CoolReaper backdoor was created by a malicious [third-party],” the report notes. “However, for the following reasons we believe that the backdoor was created and installed by Coolpad. All CoolReaper APK files we have identified were signed with a certificate that belongs to Coolpad and the 41 infected stock ROMs are also signed by the same certificate.”

After a researcher uncovered a vulnerability in CoolReaper’s backend control system in November, Coolpad acknowledged the control system’s presence when they agreed to patch the issue. The control system is on coolyun.com, which also hosts the command and control server for CoolReaper, according to Palo Alto Networks.

“Reports of suspicious activity on Coolpad Android devices began appearing on Chinese user forms in October of 2013,” the report said.

Palo Alto Networks researchers began investigating both stock and modified ROM files that form the base of the Coolpad Android installation. The firm acquired 77 ROMs for the Chinese versions of Coolpad Android devices. Sixty-four of them contained the backdoor. All together, researchers confirmed that at least 24 different Coolpad models contain the CoolReaper backdoor, including the Dazen F2 8675 and Dazen F1 8297W models.



Leave a Reply

You must be logged in to post a comment.