Slashdot Mirror

← Back to Stories (view on slashdot.org)

Manufacturer's Backdoor Found On Popular Chinese Android Smartphone

Posted by samzenpus on from the sneaking-in dept.

Trailrunner7 writes that researchers at Palo Alto Networks have found a backdoor in Android devices sold by Coolpad. "A popular Android smartphone sold primarily in China and Taiwan but also available worldwide, contains a backdoor from the manufacturer that is being used to push pop-up advertisements and install apps without users' consent. The Coolpad devices, however, are ripe for much more malicious abuse, researchers at Palo Alto Networks said today, especially after the discovery of a vulnerability in the backend management interface that exposed the backdoor's control system. Ryan Olson, intelligence director at Palo Alto, said the CoolReaper backdoor not only connects to a number of command and control servers, but is also capable of downloading, installing and activating any Android application without the user's permission. It also sends phony over-the-air updates to devices that instead install applications without notifying the user. The backdoor can also be used to dial phone numbers, send SMS and MMS messages, and upload device and usage information to Coolpad."

82 comments

  1. buy cheap ... by Anonymous Coward · · Score: 3, Insightful

    ... get what you pay for

    1. Re:buy cheap ... by sansprivacy · · Score: 1

      Yes, pay way more and get a flagship android or iOS based device, where you are completely insulated from malicious attacks.

  2. Most.Expensive.Burner.Cell.Ever. by Anonymous Coward · · Score: 0

    Just.Saying.

  3. There is no backdoor. by Anonymous Coward · · Score: 5, Funny

    Its just lies and propaganda, there is no backdoor in Coolpads.

    [sent from my Coolpad]

    1. Re:There is no backdoor. by Anonymous Coward · · Score: 3, Funny

      I think you mean: [sent BY my Coolpad]

    2. Re:There is no backdoor. by Krojack · · Score: 1

      [sent by Coolpad CEO]

  4. No different than what we have here by Russ1642 · · Score: 4, Interesting

    Pretty sure that both the iOS and Android systems can do this out of the box, they just have chosen not to. There's also the old Kindle deleting 1984 incident.

    1. Re:No different than what we have here by ArcadeMan · · Score: 4, Informative

      As far as I know, Apple can disable software remotely for security reasons but iOS itself cannot install software without asking the user.

      --
      Get free satoshi (Bitcoin) and Dogecoins
    2. Re:No different than what we have here by davidwr · · Score: 2, Interesting

      Apple can disable software remotely for security reasons but iOS itself cannot install software without asking the user.

      Unless Apple disables the software that prevents iOS from installing software without the user. This function would only be used for security reasons of course.

      --
      Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    3. Re:No different than what we have here by stephanruby · · Score: 1

      ...but iOS itself cannot install software without asking the user.

      Can't you install an app on an iPhone by only through iTunes on a PC?

      If so, then yes, iOS supports remote installs.

    4. Re:No different than what we have here by stephanruby · · Score: 1

      Pretty sure that both the iOS and Android systems can do this out of the box, they just have chosen not to. There's also the old Kindle deleting 1984 incident.

      If you bring up 1984 as an example, then you have to bring up U2.

    5. Re:No different than what we have here by Anonymous Coward · · Score: 0

      But who is going to give them "the talk", pay for their college education and their wedding?

    6. Re:No different than what we have here by Russ1642 · · Score: 1

      If you bring up 1984 as an example, then you have to bring up U2.

      No I don't. You can if you want though.

    7. Re:No different than what we have here by rtb61 · · Score: 1

      'Erm' yeah right, apparently you live in a happy delusional world. All the manufacturers can quite readily install software without the users permissions by the simply expedient of piggy backing the install of the software they want to install on any software or update that you attempt to install from websites they control. They only thing you can do to prevent it, is never update and never install an application from their servers. They can of course also force you to upgrade by purposefully breaking the protocols you need with new versions and slip in what ever they want and they can do this at any time.

      Just like the infamous M$ upgrade cycle where patches cripple and slow down the software you are using when they are trying to force the next version on you.

      --
      Chaos - everything, everywhere, everywhen
    8. Re:No different than what we have here by gnasher719 · · Score: 2

      Unless Apple disables the software that prevents iOS from installing software without the user. This function would only be used for security reasons of course.

      It all depends on your definition of "can". Apple could theoretically do _anything_ with your iOS device. Some things would be detectable, some wouldn't, some would be illegal, most would be pointless to do for Apple and would be damaging to business if found out, which is a very good reason not to do it.

      Apple _can_ install apps remotely without asking you, and it actually happens if you buy an app on one phone, and you have set up the other phone to automatically install purchased apps. Well, technically you asked for it, but nothing needs to appear on your iOS device at that moment to ask you. Quite obviously, Apple _can_ install software on your iPhone, because that's what they have to do when you purchase software. Being asked by you to do it is just a small detail. In reality, Apple doesn't install software without asking you.

      Apple _can_ remove software without asking you, and would probably do that to remove malware, if it decides that removing the malware without your explicit permission is better for the customer than not removing it. I don't think they have ever removed anything for that reason, and they haven't removed anything with copyright problems.

    9. Re:No different than what we have here by Anonymous Coward · · Score: 0

      Any business management service can install and update stuff without informing the user.

  5. Google Play Services by Tester · · Score: 3, Funny

    I though they were describing Google Play Services, which I understand call do all of those things. Except obivously, that Google is not evil..

    1. Re:Google Play Services by rogoshen1 · · Score: 1

      Google is clearly evil. what kind of kool-aid are you consuming? ..
      oohhhhh!

  6. Disgusting! by fuzzyfuzzyfungus · · Score: 5, Funny

    It's repulsive the sort of tactics that commie chinamen will stoop to, putting backdoors into their products like that. Why, here in America, those are 'features' that you consent to by opening the package, as documented on page 46 of the EULA, as interpreted in mandatory binding arbitration by the company's legal team! It must suck to live in such a benighted, unfree, country, where your cellphone is probably spying on you and may well come preloaded with malware...

    1. Re:Disgusting! by ColdWetDog · · Score: 2

      USA! USA! USA!

      Besides, out Three Letter Agency knows more about us than your Three Letter Agency!

      How do you like them Apples?

      --
      Faster! Faster! Faster would be better!
    2. Re:Disgusting! by Anonymous Coward · · Score: 0

      It's disgusting someone other than google can also do that!

    3. Re:Disgusting! by PRMan · · Score: 2

      How do you like them Apples and Androids?

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
  7. 3-digit /. UID? by davidwr · · Score: 1

    Tester (591)

    Wow, don't see those very often. Good to see old-timers still around.

    So, which do you prefer, Intellivision or ColecoVision? :)

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:3-digit /. UID? by PRMan · · Score: 1

      The sports games and original games were better on Intellivision, but arcade ports rocked on Coleco...

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
    2. Re:3-digit /. UID? by Enry · · Score: 1

      Space War

    3. Re:3-digit /. UID? by Anonymous Coward · · Score: 0

      Like those who have walked on the moon it won't be much longer until all the 3-digit UID slashdotters are dead.

    4. Re:3-digit /. UID? by jlv · · Score: 1

      I'm going to hit you with my modem.

    5. Re:3-digit /. UID? by davidwr · · Score: 1

      I'm going to hit you with my modem.

      300 baud or DSL?

      I have both and it's easy to mix the two up especially if you have one of those last-century DSL modems with the DB9 or DB25 serial connector.

      They have about the same usefulness when used to hit people with.

      On some days, they both seem to transfer data at about the same speed. :P

      --
      Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    6. Re:3-digit /. UID? by C+R+Johnson · · Score: 1

      Modem? Damn whippersnapper! Get off my lawn!

      --
      The alternative to limited government is unlimited government.
    7. Re:3-digit /. UID? by operagost · · Score: 1

      Tennis for two. I overclocked my oscilloscope to increase the challenge.

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
    8. Re:3-digit /. UID? by operagost · · Score: 2

      Modem? Luxury! In my day, we had to touch the phone line to our tongues to sense the voltage drops, then key the data in manually to our analog computers with a cat's whisker we yanked out of our oatmeal box radios!

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
    9. Re:3-digit /. UID? by hey! · · Score: 1

      ISDN, so technically not a modem....

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    10. Re:3-digit /. UID? by CaTfiSh · · Score: 1

      I'm easy to please, PONG FTW!

    11. Re:3-digit /. UID? by BancBoy · · Score: 1

      It Still Does Nothing

      --
      [UID-HeinzIntel]
    12. Re:3-digit /. UID? by Miguelito · · Score: 1

      Ah.. really classic gaming.

      The Colecovision baseball that had the specific controllers was a lot of fun.. until we learned the pitch that was a strike but couldn't be hit. Then games became a challenge of who could continue to pitch that exact pitch without making a mistake.

      Man the intellivision had some great games though... B-17 bomber was awesome with the voice module. Tron Deadly Discs was a marathon game if there ever was one. My friend was the best at TDD and could play for hours until it finally got crazy hard.

      --
      - My favorite error message: xscreensaver, running on an old Sparc 5 w/ 8bit color: bsod: Couldn't allocate color Blue
    13. Re:3-digit /. UID? by everythingistaken · · Score: 1

      300 baud or DSL?

      I have both and it's easy to mix the two up especially if you have one of those last-century DSL modems with the DB9 or DB25 serial connector.

      They have about the same usefulness when used to hit people with.

      One with a handset cradle, still in it's suitcase, from when slashdot was on uunet with a broken G protocol. It's *much* more useful than a crappy DSL modem to hit people.

    14. Re:3-digit /. UID? by visavillem · · Score: 1

      ISDN, so technically not a modem....

      Technically it is a modem (modulator/demodulator), because data is still transferred via the copper lines, and signal has to be modulated and demodulated at each end. In fact all the network equipment are basically modems, because data has to be modulated (by amplitude, frequency, phase) at the one end to go through the wires and demodulated at the receiving end. This also goes for the wireless equipment.

      --
      I'm not really here, it's just more probable that i'm here, than anywhere else.
  8. The difference is that THERE is evidence by Anonymous Coward · · Score: 0

    Apple can disable software remotely for security reasons but iOS itself cannot install software without asking the user.

    Unless Apple disables the software that prevents iOS from installing software without the user. This function would only be used for security reasons of course.

    This feature has to be very well hidden though, since nobody found it yet even on jailbroken devices.

    But apart from that: All this "I'm pretty sure that x can do y too" is just tiring. I can't even fathom how the world must look to someone who always comes up with that and nothing else. ANY argument that explains everything just explains nothing. It's very much like religion, in which "God" is the ultimate answer to all questions. Like blind faith blind distrust is the ultimate intellectual capitulation.

    Asking for evidence and weighting the implications makes you able to deal with the world, just assuming things and doing a lot handwaving does the exact opposite to you. Since there is no total security details matter. A lot.

    1. Re:The difference is that THERE is evidence by Russ1642 · · Score: 2

      There are a lot of phones set to auto-update. That's pretty much all there is to it at this point.

    2. Re: The difference is that THERE is evidence by Anonymous Coward · · Score: 0

      Both my android and my friends iPhone ask to install updates, I'm not aware of any flagship phones that auto update.

    3. Re: The difference is that THERE is evidence by Anonymous Coward · · Score: 1

      I take that back, my windows 8.1 PC force installs updates once a week, suppose its possible wp phones may force updates.

    4. Re: The difference is that THERE is evidence by Russ1642 · · Score: 2

      Apps are set to auto-update. App stores control those apps. If they want to replace Gmail with Big Brother v 1.0 they can do that in an instant.

    5. Re: The difference is that THERE is evidence by Anonymous Coward · · Score: 0

      IIRC, my phone asked me if I wanted to enable auto update for apps. It was optional.

      Can't comment on the app store sadly don't own an apple product, but on android you are generally at least given the choice

    6. Re: The difference is that THERE is evidence by Russ1642 · · Score: 0

      And the people that wrote the app store apps can't possibly disregard the option that you set. Are you at all understanding this issue?

    7. Re: The difference is that THERE is evidence by Anonymous Coward · · Score: 0

      I've seen no incidence of this happening, nor proof that it could with the play store without auto update enabled. Is there a single app that auto updates without my pernission, even the almighty google play services has to ask.

    8. Re: The difference is that THERE is evidence by Anonymous Coward · · Score: 0

      Oh wait unless you're suggesting that I could install an app (still willingly, and still with reading the permissions and accepting to them), that would then disregard the play store as an update method.

      I should point out that this is against the play stores tos and IIRC there are some apps that took flak for trying (facebook for one)

    9. Re: The difference is that THERE is evidence by radish · · Score: 2

      What you're saying basically boils down to "in the end you have to trust the people who wrote the OS or built the device". Yes, yes you do. This article is an example of how one such group abused that trust. Of course Apple and Google could do the same, but absent of any evidence that they have done so saying they could is kind of redundant.

      --

      ---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"

    10. Re:The difference is that THERE is evidence by Anonymous Coward · · Score: 0

      The difference is that THERE is evidence

      The difference is that you you got your head inserted in your ass.
      You think Apple (any brand for that matter) is totally secure, you're a fucking idiot.
      But but but ...there's no evidence...

    11. Re: The difference is that THERE is evidence by Anonymous Coward · · Score: 0

      Both my android and my friends iPhone ask to install updates, I'm not aware of any flagship phones that auto update.

      In what way does that show that it doesn't have the ability to install software silently?
      Just because it asks to install some updates doesn't mean that there isn't a way to send out an update without the request if a three letter organization of choice asks to.

    12. Re: The difference is that THERE is evidence by visavillem · · Score: 1

      my windows 8.1 PC

      well, there's your problem! (in the voice of Adam Savage from Mythbusters).

      Joking aside, my Linux Mint's update has also been overactive lately. Luckily it won't install anything without my consent. Microsoft can push some updates without the consent of the user, even when the windows update service is disabled.

      --
      I'm not really here, it's just more probable that i'm here, than anywhere else.
    13. Re: The difference is that THERE is evidence by gnasher719 · · Score: 1

      What you're saying basically boils down to "in the end you have to trust the people who wrote the OS or built the device". Yes, yes you do. This article is an example of how one such group abused that trust. Of course Apple and Google could do the same, but absent of any evidence that they have done so saying they could is kind of redundant.

      It's more than that. Google and Apple can harm, in principle, by either being evil or incompetent (I'm not claiming they are either). But they have lots of competent developers who try hard to keep you safe. This company here has most likely 10 times less security expertise than either Google or Apple. Which means your risk is much much higher.

  9. Oops, sorry by davidwr · · Score: 1

    I had my "obvious/subtle/totally-deadpan" posting filter set too far to the "deadpan" end of things. To anyone who mis-took me for a conspiracy theorist, I apologize for being too deadpan.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  10. At least commi can talk about it by Anonymous Coward · · Score: 0

    Unlike some other countries where it is a top secret, the one who opened it is among the most wanted..

  11. Verizon and AT&T scoff at "Amateur Hour" backd by Anonymous Coward · · Score: 2

    Harumph! Harumph! (I didn't get a Harumph from that guy.....Harumph!)
    Verizon and AT&T laugh at your puny "backdoor" and limited scope of abuse available through it.
    Why, they opened up their ENTIRE NETWORK to the NSA/CIA/DIA/FBI/any local podunk sheriffs office.
    USA! USA! USA!
    We are STILL Number One!

  12. Are you ready? Are you ready? by Anonymous Coward · · Score: 0

    More like UnCoolpad.

  13. So this company figures by dixonpete · · Score: 1

    that no one will care and people will continue to buy their products? They might be right, and if so it's a bigger slam on the market than it is on the company. Makes you wonder if the executives actually coolly weighed the risk of discovery vs potential profits.

  14. Sounds like my Sony Blu-Ray player by fhage · · Score: 4, Interesting
    I have a Sony BDR-S3100 which grabs an IP address even when it's off. It also frequently updates itself without notification when off, leaving new movie trailers and unfamiliar and unwanted Apps in its menu. Each time it does this, (about every 2 weeks) I have to re-enter all my account login information. There's no way to disable these automatic updates. Sony CS has no solution. In addition, I've discovered when the user starts an App, like Netflix, the player first contacts Sony servers before actually running the app. When their servers are down, the player can't run the Netflix App.

    Devices now own us. I miss the days when I had control over my devices.

    1. Re:Sounds like my Sony Blu-Ray player by Anonymous Coward · · Score: 1

      Yes you have control, don't buy it, specially Sony!

    2. Re:Sounds like my Sony Blu-Ray player by vux984 · · Score: 2

      Sony CS has no solution.

      Whereas I have 3:

      1) Return it and replace it with something better
      2) Firewall it so it can't access the internet over your router. When you actually need/want to update it, its trivial to disable the rule for a few minutes.

      3) disconnect it from the network. if its wired this couldn't be simpler. If its wireless its may be a little more tedius to forget and resetup the wifi each time -- in which case maybe #2 above is the better solution.

      But really -- #1 is the correct solution.

    3. Re:Sounds like my Sony Blu-Ray player by almondo · · Score: 4, Funny

      I'd say sue Sony but their lawyers are a bit busy right now.

    4. Re:Sounds like my Sony Blu-Ray player by DeVilla · · Score: 1

      Devices now own us. I miss the days when I had control over my devices.

      I don't have all the neat devices everyone else buys, but I own the ones I buy. I blame people like you for making it more difficult.

    5. Re:Sounds like my Sony Blu-Ray player by Gaygirlie · · Score: 3, Insightful

      Have you checked if it uses HTTP or HTTPS for its traffic? If it's just plain-old HTTP you could redirect the traffic to Sony's servers to a server of your own instead and always just reply with "everything is ok, no updates available, please continue." That's what I've done to several apps and appliances, thereby removing myself from their prying eyes and granting me access to things even when manufacturer's servers are unavailable.

    6. Re:Sounds like my Sony Blu-Ray player by Anonymous Coward · · Score: 0

      Shhhhhh! Don't tell everyone how crap the firmware in the BDR-S3100 is! The reason it's so bad is that the geek who wrote it spent so much of his time posting opinions here instead of learning how to write good code. Quick, blame it on management decisions before anyone finds out!

    7. Re:Sounds like my Sony Blu-Ray player by Anonymous Coward · · Score: 0

      Hack it.
      most (all?) BD players run embedded linux.
      this link should get you started.
      http://www.malcolmstagg.com/bdp-s390.html
      This guy's tools allow for depacking a firmware image, and repacking it.
      you'll probably need to rewrite some of them as some use hardcoded offsets which aren't the same model to model.

      Sony's source code page for your model:
      http://oss.sony.net/Products/Linux/Video/BDP-S1100.html

    8. Re:Sounds like my Sony Blu-Ray player by danomac · · Score: 1

      That would work if you don't want to use Netflix on the BD player. GP says when network/Sony's server's are down apps don't work on the BD player...

    9. Re:Sounds like my Sony Blu-Ray player by vux984 · · Score: 2

      Yeah, the netflix angle breaks things and really just highlights just how terrible a player it is.

      Expect a lot more of this with "Internet of Things".

      I for one am not interested in any of that crap.

  15. Sony Xperias cellphonmes have backdoors too by Anonymous Coward · · Score: 2, Insightful

    From RealVNC press release:
    "27th February 2012: RealVNC’s remote access technology has been integrated in Sony Mobile Communication’s Android based Xperia smartphones, enabling them to connect to vehicle infotainment systems so that drivers can access their smartphone applications safely from the dashboard display. The technology can also be used in customer support services by helpdesk agents to provide better support to Xperia users."

  16. The difference between these and iPhones by Anonymous Coward · · Score: 0

    is merely that the back-doors in American products are much more well-hidden - but they are still there.

  17. MR. POTATO-HEAD! BACKDOORS ARE NOT SECRETS! by HaeMaker · · Score: 1

    How is this different than the Uber app AT&T just installed on my phone as part of a software update?

  18. What? Even "free" has a price? by rainer_d · · Score: 1, Insightful

    News at 11!

    --
    Windows 2000 - from the guys who brought us edlin
  19. Yep. by Anonymous Coward · · Score: 1

    Buy your Android devices directly from the Google play store.

    Anything cheaper will come with pre-loaded malware that will complicate everything and steal from you.

  20. Yes, Google is evil by Anonymous Coward · · Score: 1

    But if you buy pure android devices directly from Google, you *only* have to deal with Google's evil, and not the additional evil of the manufacturer.

    And the additional evil will always be worse. Google, though evil, has direct incentives to keep its devices secure. The tracking data they get on you is more valuable to them if only they have it. Your perception of the security of their devices is also more valuable to them than what they could gain by installing backdoors.

    For example, a while back a Motorola device came with a Motorola-hacked-out version of Android that sent back to Motorola *everything* you put on your phone (your passwords, your pics, all of it), and did this over UNENCRYPTED HTTP. Google would never do that, because they don't profit from your passwords, they get all your valuable pictures anyway (and they don't profit from your nekkid selifies), and they don't want the stolen data to be available for re-steal (hence no unencrypted http channel).

    So, go with the lesser evil, or get double-screwed.

  21. 691, 630, 141, and 724? Wow by davidwr · · Score: 1

    I don't remember the last time I saw so many members of the 3-digit club in one not-too-long (yet) sub-thread, but it was probably in Bush the 43rd's first term.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  22. Except that ... by Anonymous Coward · · Score: 0

    Anything Android is SPYWARE and MALWARE (by design) with a backdoor built by Google.

    1. Re:Except that ... by visavillem · · Score: 1

      Anything Android is SPYWARE and MALWARE (by design) with a backdoor built by Google.

      [citation needed]

      --
      I'm not really here, it's just more probable that i'm here, than anywhere else.
    2. Re:Except that ... by Anonymous Coward · · Score: 0

      Anything [_INSERT POPULAR MANUFACTURER OS/DEVICE_] is SPYWARE and MALWARE (by design) with a backdoor built by [_INSERT SAID POPULAR MANUFACTURER_]

      If you think that any company isn't doing what Google is, you're sorely mistaken.

  23. Neo900 by ssam · · Score: 1

    The Neo900 looks even more attractive.

  24. Google does it too... by Anonymous Coward · · Score: 0

    ... by updating Play Store itself without any confirmation

  25. and..... by Anonymous Coward · · Score: 0

    where the hell is your Youtube video of this incredible Sony hack, North Korea.....

  26. Surprised? by sansprivacy · · Score: 1

    This is why you don't buy shady things from China directly. There's a reason why coolpad's products aren't on the US export list.