Researchers at Palo Alto found that many ROM images used for Android smart phones manufactured by Coolpad contain a backdoor, giving an attacker full control of the device. Palo Alto named the backdoor "Coolreaper".

With Android, it is very common for manufacturers to install additional applications. But these applications are installed on top of the Android operating system. In this case, Coolpad integrated additional functionality into the firmware of the device. This backdoor was then used by Coolpad to push advertisements to its users and to install additional Android applications. But its functionality goes way beyond simple advertisements.

The backdoor provides full access to the device. It allows the installation of additional software, accessing any information about the device, and even notifying the user of fake over the air updates.

How important is this threat?

Coolpad devices are mostly used in China, with a market share of 11.5% according to the report. They are not found much outside of China. The phones are typically sold under brands like Coolpad, Dazen and Magview. 

The following domains and IPs are used for the C&C channel:

113.142.37.149, dmp.coolyn.com, dmp.51coolpad.com, icudata.coolyun.com, icudata.51coolpad.com, 113.142.37.246, icucfg.coolyun.com and others . Blocking and logging outbound traffic for these IPs will help you identify affected devices.

For details, see the Palo Alto Networks report at https://www.paloaltonetworks.com/threat-research.html

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn