Chinese smartphones from Coolpad contain a backdoor, dubbed CoolReaper by Palo Alto researchers, is being used to install apps without user consent.

A popular Android smartphone sold primarily in China and Taiwan but also available worldwide, contains a backdoor from the manufacturer that is being used to push pop-up advertisements and install apps without users’ consent.

The Coolpad devices, however, are ripe for much more malicious abuse, researchers at Palo Alto Networks said today, especially after the discovery of a vulnerability in the backend management interface that exposed the backdoor’s control system.

Ryan Olson, intelligence director at Palo Alto, said the CoolReaper backdoor not only connects to a number of command and control servers, but is also capable of downloading, installing and activating any Android application without the user’s permission. It also sends phony over-the-air updates to devices that instead install applications without notifying the user. The backdoor can also be used to dial phone numbers, send SMS and MMS messages, and upload device and usage information to Coolpad.

The manufacturer has also taken steps via modifications to its version of Android to keep the backdoor hidden from users and security software that could be installed on the phone. For example, Olson said Coolpad has disabled the long-press system that allows a user to find out what application generated an pop-up advertisement or notification, for example.

“Because this is built so deep into the operating system, it can do lots of things, not just display pop-ups,” Olson said. “They can install anything they want without user consent, and push data onto the phone.”

For now it appears the manufacturer’s motivation is revenue generation, given that most users who complained about suspicious behavior in Coolpad user forums expressed concerns about pop-ups and unwanted ads.

“One thing is true of all backdoors,” Olson said. “When you create a backdoor, you might have good intentions, but any backdoor could be abused by an outsider against an individual user or against all users to install their own application.”

Coolpad is the third largest smartphone builder in China, and ranks sixth worldwide with 3.7 percent global market share. It trails only Lenovo and Xiaomi in China and is the leader of China’s 4G market with 16 percent market share. Coolpad outsells Samsung and Apple in China, and has said it plans to expand globally with a goal of 60 million phones worldwide. For now, its high-end Halo Dazen phones are the only ones containing the backdoor, Palo Alto said.

Palo Alto researchers there looked at 77 ROMs for Coolpad Android devices, 64 of which contained the CoolReaper backdoor; 41 of the infected devices contained stock ROM files for eight Dazen models, while 23 were found in third-party ROMs for the remaining 16 Coolpad models, Palo Alto said. The 41 stock ROM files were signed with a certificate belonging to Coolpad, and the command and control domains, coolyun[.]com and 51Coolpad[.]com, are registered by Coolpad and used by the company’s cloud services.

With plans to expand distribution into the United States, Europe and Southeast Asia, the disclosure of CoolReaper, there is the potential for widespread abuse.

“We’ve never seen something with this much capability [from a manufacturer],” Olson said, pointing out that CoolReaper even exceeds Carrier IQ’s software that was found to be recording keystrokes in addition to gathering device and usage information. “This is way more than logging keystrokes. It is installing apps without consent and aggressively hiding from the OS and antivirus programs on the phone.”

Olson said users are reporting that the unwanted apps are games, hinting again that Coolpad may be seeking a separate revenue stream to supplement its sales of relatively inexpensive Android devices.

While sneakily pushing apps and updates onto the phone is bad enough, the independent discovery of the backdoor interface online and subsequent disclosure of a vulnerability means that anyone could access backdoored Coolpad devices and do serious damage.

The vulnerability in the backend control system was reported on Nov. 19 to WooYun.org, a vulnerability crowdsourcing website similar to Bugcrowd. The white-hat researcher was able to log into a Permission Management Platform where, and if he chose, would have been able to push apps through a phone OTA update, silently install and activate APK files, and more. Coolpad confirmed the vulnerability on the same day and gave it its highest severity ranking along with a promise to patch. Olson said Palo Alto has not been able to confirm whether the patch has been made available.

“The vulnerability allows unauthorized access; users are not properly authenticated and it’s on the open Internet,” Olson said. “You’d be able to install whatever you wanted on the phones through a backdoor that’s not necessarily secure.”

A technology publication in China quoting Coolpad public relations said the backdoor is used only for internal testing. However in the next upgrade from version 2.x to 3.0, the backdoor’s APK name was merely changed from CP_DMP.apk to GoogleGmsFramework.apk to hide it from users who had already found it, Palo Alto speculated.

“The fact that the CoolReaper management interface could be hijacked by malicious attackers through a vulnerability helps highlight the danger of pre-installing this type of backdoor program,” Palo Alto said in its report. “While this vulnerability may be already fixed, others may exist that could allow a malicious actor to take control Coolpad devices.”