In a research paper released today, Palo Alto Networks detailed its investigation of the backdoor, which it dubbed "CoolReaper."
"Coolpad has built a backdoor that goes beyond the usual data collection," said Ryan Olson, director of intelligence at Palo Alto's Unit 42. "This is way beyond what one malicious insider could have done."
Coolpad, which sells smartphones under several brand names -- including Halo, also called Danzen -- is one of China's largest ODMs (original device manufacturers). According to IDC, it ranked fifth in China in the third quarter, with 8.4% of the market, and has expanded sales outside of the People's Republic of China (PRC) and Taiwan to Southeast Asia, the U.S. and Western Europe.
Tipped off by a string of complaints from Coolpad smartphone users in China and Taiwan -- who griped about seeing advertisements pop up and apps suddenly appear -- Palo Alto dug into the ROM updates that Coolpad offered on its support site and found widespread evidence of CoolReaper.
Of the 77 ROMs that Palo Alto examined, 64 contained CoolReaper, including 41 hosted by Coolpad and signed with its own digital certificate.
Other evidence that Coolpad was the creator of the backdoor, said Olson, included the malware's command-and-control servers -- which were registered to domains belonging to the Chinese company and used, in fact, for its public cloud -- and an administrative console that other researchers had found last month because of a vulnerability in Coolpad's backend control system. The console confirmed CoolReaper's functionality.
CoolReaper has a host of components that allow Coolpad to download updates and apps to devices, start services and uninstall apps, dial phone numbers and send texts, and more -- all without user knowledge, much less authorization.
So far, the backdoor has been used to serve up unsolicited ads and install apps without user approval, said Olson, who speculated that both were being done for financial reasons. Coolpad may be getting a per-app-install fee, for example.
But information gathering -- including users' locations, the phone calls and texts they make and send, and their duration -- is also possible, Olson added. That raises privacy and security concerns, both notable problems in China, where the government aggressively tracks dissent and censors the Internet.
"Any backdoor can be abused, either by the company that built it or someone who gets access to it," Olson said. Because of the vulnerability in Coolpad's legitimate control system -- and the potential for other flaws in that same code -- others may be able to access the CoolReaper administrative console and hijack smartphones or plant even more malicious malware on the devices.
Palo Alto was able to obtain only one Coolpad smartphone -- one of the models sold in the U.S. -- and did not find CoolReaper on the device. Olson suspected that only the Chinese models were fitted with the backdoor.
But he was certain this was more than an oversight, more than the usual Android malware that has been planted on some smartphones at some point in the supply chain.
"This would be a very amazing infiltration of Coolpad's systems by a rogue insider," said Olson. "And it's been going on for over a year, since October 2013." Other clues, he said, included CoolReaper's surreptitious behavior -- it hides itself from the operating system -- and the use of the word "backdoor" in its source code.
Coolpad did not immediately reply to a request for comment.
Palo Alto's CoolReaper research paper can be downloaded from the firm's website (registration required).