Smartphone users in China were noticing something odd about their Coolpad phones. The devices were automatically installing strange apps, and the users were getting advertisements through their notifications that had their origins hidden.
Researchers found that Coolpad Group Limited, the sixth largest smartphone manufacturer in the world and third largest in China, had installed a backdoor into their phones and had gone to great lengths to keep it hidden from users.
The findings were released on Dec. 17 by researchers at Silicon Valley-based Palo Alto Networks. They’ve dubbed the backdoor “CoolReaper.”
“The backdoor, we know it was made by Coolpad,” said Ryan Olson, intelligence director with Palo Alto Networks’ Unit 42 threat intelligence team, in a phone interview.
Olson and his team found that Coolpad operated a control infrastructure for the backdoor, and that Coolpad had signed for different elements of the backdoor.
Coolpad Group Limited did not immediately respond to an email inquiring about the allegations.
The backdoor threatens user security. Aside from Coolpad’s more irritating uses of the system, such as sending unwanted messages to users and installing unwanted apps on their phones, it could also be used for more nefarious purposes.
“If a malicious actor got a hold of that,” Olson said, “Through this backdoor you could install a program to turn the camera on, turn the microphone on, and steal all sorts of information from the phone without the user ever knowing about it.”
Coolpad’s spy system also had flimsy security. It was first uncovered by a Chinese researcher in November who had gained access to the CoolReaper control panel and posted the findings on a Chinese security website. Palo Alto Networks began researching the backdoor soon after.
Olson said one of the more surprising finding were the lengths Coolpad had apparently gone to hide its backdoor. They had modified the Android OS to remove notifications that would let users know the backdoor existed, and had even installed their own antivirus program which was altered to skip over the backdoor.
It’s not uncommon for smartphone manufactures to alter the Android OS to create their own features, Olson said, “But in the case of Coolreaper, it doesn’t look like there are any benefits to this.”
The findings also fit into a growing and concerning trend of spying software pre-installed in Chinese smartphones.
In June, security researchers at Germany’s G Data found spying software pre-installed on the China-made Star N9500 smartphone.
Soon after, in July, researchers found similar spying software pre-installed on Xiaomi’s Redmi Note smartphone. Xiaomi is the third largest smartphone manufacturer in the world.
News soon followed that hackers with the Chinese regime were targeting smartphones. A spy campaign was uncovered in September by researchers at Lacoon Mobile Security, targeted at people who supported the pro-democracy movement in Hong Kong.
In October, researchers found that Sony’s Xperia Z3 and Xperia Z3 Compact smartphones manufactured in China were also infected with pre-installed malware, which was hidden in a file named after China’s Internet search engine, Baidu.
According to Olson, phones are ideal targets for espionage. He said, “mobile phones are a treasure trove of information, and they also happen to be great surveillance devices.”
Given the growing trend in Chinese smartphones pre-infected with malware—and especially these days when users can buy just about anything on Amazon—Olson said it’s important for users to pay attention to where the devices are coming from.
“Choosing your phone just because it’s the least expensive one is generally not the best option,” he said, noting that users should check which company manufactures the devices, and to check “whether the company has a history of installing backdoors on their devices.”