Chinese handset manufacturer ZTE has confirmed that a security vulnerability is present in the Android-based ZTE Score M smartphone. The phone includes an application, /system/bin/sync_agent , with a hard-coded password that can, now, be easily found on the internet. The application, when run with the password, gives the user root access to the device and therefore could be used to completely take over a phone.

According to ZTE, the backdoor only effects the Score M model sold in the US and the company is "actively working" on a patch that should be delivered over-the-air "in the near future". ZTE says that, despite earlier reports, the ZTE Skate handset is not affected.

Security researcher Dmitri Alperovitch, who discovered the security hole, said that the application was definitely placed on the devices deliberately as ZTE was using it to deliver software updates to the phones. He could not say though if the backdoor application was malicious or simply a careless programming mistake on the part of ZTE.

Knowledge of the vulnerability began to spread last week after an anonymous user disclosed it on Pastebin. ZTE, the world's fourth largest handset manufacturer, is already under close scrutiny in the US over fears of backdoors in devices supplied by Chinese manufacturers.

(fab)