Malware

CoolReaper Revealed: A Backdoor in Coolpad Android Devices

Clock Icon 2 min read

Coolpad is the sixth largest manufacturer of smartphones in the world, and the third largest in China. We recently discovered that the software installed on many of Coolpad’s high-end Android phones includes a backdoor which was installed and operated by Coolpad itself. Today we released a new report detailing the backdoor, which we’ve named “CoolReaper.”

After reviewing Coolpad complaints on message boards about suspicious activities on Coolpad devices, we downloaded multiple copies of the stock ROMs used by Coolpad phones sold in China. We found the majority of the ROMs contained the CoolReaper backdoor.

CoolReaper can perform the following tasks:

  • Download, install, or activate any Android application without user consent or notification
  • Clear user data, uninstall existing applications, or disable system applications
  • Notify users of a fake over-the-air (OTA) update that doesn’t update the device, but installs unwanted applications
  • Send or insert arbitrary SMS or MMS messages into the phone.
  • Dial arbitrary phone numbers
  • Upload information about device, its location, application usage, calling and SMS history to a Coolpad server

We expect device manufacturers to install software on top of Android that provides additional functionality and customization, but CoolReaper does not fall into that category. Some mobile carriers install applications that gather usage statistics and other data on how their devices are performing. CoolReaper goes well beyond this type of data collection and acts as a true backdoor into Coolpad devices.

Coolpad customers in China have reported installation of unwanted applications and push-notification advertisements coming from the backdoor. Complaints about this behavior have been ignored by Coolpad or deleted.

Coolpad has also modified the Android OS contained in many of their ROMs. The modifications are specifically tailored to hide CoolReaper components from the user and from other applications operating on the device. These modifications make the backdoor much more difficult for antivirus programs to detect.

In November a white-hat security researcher identified a vulnerability in the back-end control system for CoolReaper, which allowed him to see how Coolpad controls the backdoor.

CoolReaper is the first malware we have seen that was built and operated by an Android manufacturer. The changes Coolpad made to the Android OS to hide the backdoor from users and antivirus programs are unique and should make people think twice about the integrity of their mobile devices.

Download “CoolReaper: The Coolpad Backdoor” from Unit 42 and learn what you can do to protect your data using the Palo Alto Networks Enterprise Security Platform.

 

Meet the Unit 42 threat intelligence team at Ignite 2015! Register now to join us March 30-April 1, 2015 in Las Vegas.You can also follow us on Twitter (@Ignite_Conf) or drop us a line at ignite2015@paloaltonetworks.com with any questions.

PAN_IC15_web_logo-1

Enlarged Image