Coolpad's backdoor installs apps and tracks customers without their knowledge, say U.S. security researchers Chinese smartphone maker Coolpad has built an extensive “backdoor” into its Android devices that can track users, serve them unwanted advertisements and install unauthorized apps, a U.S. security firm alleged today. In a research paper released today, Palo Alto Networks detailed its investigation of the backdoor, which it dubbed “CoolReaper.” “Coolpad has built a backdoor that goes beyond the usual data collection,” said Ryan Olson, director of intelligence at Palo Alto’s Unit 42. “This is way beyond what one malicious insider could have done.” Coolpad, which sells smartphones under several brand names — including Halo, also called Danzen — is one of China’s largest ODMs (original device manufacturers). According to IDC, it ranked fifth in China in the third quarter, with 8.4% of the market, and has expanded sales outside of the People’s Republic of China (PRC) and Taiwan to Southeast Asia, the U.S. and Western Europe. Tipped off by a string of complaints from Coolpad smartphone users in China and Taiwan — who griped about seeing advertisements pop up and apps suddenly appear — Palo Alto dug into the ROM updates that Coolpad offered on its support site and found widespread evidence of CoolReaper. Of the 77 ROMs that Palo Alto examined, 64 contained CoolReaper, including 41 hosted by Coolpad and signed with its own digital certificate. Other evidence that Coolpad was the creator of the backdoor, said Olson, included the malware’s command-and-control servers — which were registered to domains belonging to the Chinese company and used, in fact, for its public cloud — and an administrative console that other researchers had found last month because of a vulnerability in Coolpad’s backend control system. The console confirmed CoolReaper’s functionality. CoolReaper has a host of components that allow Coolpad to download updates and apps to devices, start services and uninstall apps, dial phone numbers and send texts, and more — all without user knowledge, much less authorization. So far, the backdoor has been used to serve up unsolicited ads and install apps without user approval, said Olson, who speculated that both were being done for financial reasons. Coolpad may be getting a per-app-install fee, for example. But information gathering — including users’ locations, the phone calls and texts they make and send, and their duration — is also possible, Olson added. That raises privacy and security concerns, both notable problems in China, where the government aggressively tracks dissent and censors the Internet. “Any backdoor can be abused, either by the company that built it or someone who gets access to it,” Olson said. Because of the vulnerability in Coolpad’s legitimate control system — and the potential for other flaws in that same code — others may be able to access the CoolReaper administrative console and hijack smartphones or plant even more malicious malware on the devices. Palo Alto was able to obtain only one Coolpad smartphone — one of the models sold in the U.S. — and did not find CoolReaper on the device. Olson suspected that only the Chinese models were fitted with the backdoor. But he was certain this was more than an oversight, more than the usual Android malware that has been planted on some smartphones at some point in the supply chain. “This would be a very amazing infiltration of Coolpad’s systems by a rogue insider,” said Olson. “And it’s been going on for over a year, since October 2013.” Other clues, he said, included CoolReaper’s surreptitious behavior — it hides itself from the operating system — and the use of the word “backdoor” in its source code. Coolpad did not immediately reply to a request for comment. Palo Alto’s CoolReaper research paper can be downloaded from the firm’s website (registration required). Related content news analysis Chasing business and partnerships, Apple goes APAC Apple CEO Tim Cook’s week-long visit to Indonesia, Vietnam, and Singapore highlights how the company continues to explore new opportunities in global markets. By Jonny Evans Apr 19, 2024 4 mins Manufacturing Industry Apple Vendors and Providers news Microsoft reminder: Support for Office 2016 and 2019 ends next year Older versions of Office apps and servers will no longer get security updates as of October 2025 — when Windows 10 also reaches end of support. By Matthew Finnegan Apr 19, 2024 3 mins Microsoft Office Microsoft Office Suites news Google consolidates AI teams into DeepMind to scale capacity The restructuring will simplify development by concentrating compute-intensive model building in one place and establishing single access points for PAs looking to take these models and build generative AI applications, Google said. By Gyana Swain Apr 19, 2024 4 mins Google news Zoom offers AI-based updates to its Workplace collaboration space The company's Workplace collaboration space gets several user interface upgrades over its previous version. By Lucas Mearian Apr 18, 2024 3 mins Zoom Video Communications Generative AI Collaboration Software Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe