Palo Alto Networks reveal CoolReaper backdoor on Coolpad devices

JC Torres - Dec 18, 2014, 4:10am CST
Palo Alto Networks reveal CoolReaper backdoor on Coolpad devices

Bloatware has been an annoying issue on any device, whether it be smartphone, tablet or laptop, but what Chinese OEM Coolpad is doing goes beyond bloatware into potentially criminal territory. Palo Alto Networks, the very same research firm that alerted the world to the WireLurker iOS malware last month is now hot on the trails of “CoolReaper” a backdoor software that Coolpad has intentionally installed on millions of its devices, exposing users not just to its own control but possibly to external malicious threats as well.

This definitely takes the cake compared to bloatware. At least bloatware only serve to annoy or burden users with disguised promises of added value. The worst that they could do is send some (hopefully anonymized) data for manufacturer or carrier statistics. They, again hopefully, don’t endanger the security of users.

CoolReaper, however, pulls all the stops when it comes to spying on and deceiving Coolpad’s own customers. Here are just some of the frightening abilities that CoolReaper possesses:

• Download, install, or activate any Android application without user consent or notification.
• Clear user data, uninstall existing applications, or disable system applications.
• Notify users of a fake over-the-air (OTA) update that doesn’t update the device, but installs unwanted applications.
• Send or insert arbitrary SMS or MMS messages into the phone.
• Dial arbitrary phone numbers.
• Upload information about the device, its location, application usage, calling and SMS history to a Coolpad server.

It is definitely a security nightmare, but a party for miscreants. The problem with these “intentional” backdoors is that no matter how well intentioned they might be (like the NSA’s AURORAGOLD ops), they are nonetheless backdoors, hidden from security and therefore have the potential to be abused by anyone who has the knowledge and the means.

Perhaps even more worrying is Coolpad’s involvement. They are definitely not unaware of the situation, as they have been informed by different security researchers about the existence of a backdoor. In fact, there is evidence that suggests that Coolpad is indeed the author and agent of this backdoor. What its goals are, however, remain unclear at this point.

Right now there isn’t any known way to cleanse a device of CoolReaper, other than ditching the Coolpad device itself. Luckily in the US, Coolpad hasn’t gained much traction after an initial burst of interest last year, but it is quite big in China. Palo Alto Networks has also updated its tools to identify and block CoolReaper traffic, at least as much as it can. One problem is that Coolpad is using a modified version of Android that effectively hides CoolReaper from anti-malware tools, a case that Google should definitely look into to ensure that future versions of Android should not be so easily corrupted.

SOURCE: Palo Alto Networks

Must Read Bits & Bytes