In a report released today, security researchers claim to have identified a vulnerability in as many as 24 Coolpad devices. The backdoor, which the researchers at Palo Alto Networks call "CoolReaper," reportedly installs adware without user consent or notification. More problematic is the fact that Coolpad built the backdoor into the operating systems themselves. The cherry on top is that Coolpad even had the nefarious app impersonate the Google Play Services framework file to avoid alerting users.

Banners_and_Alerts_and_unit42-cool-reaper_pdf

Palo Alto Networks' threat research team, "Unit 42," compiled the report. The inspiration for their investigation was a series of Coolpad users having reported strange behavior on their phones. These Coolpad owners had noticed apps that they did not download appearing on their devices, especially after downloading "OTA updates" that didn't seem to change the operating system at all. Others pointed out that they had push notifications that were actually advertisements without explanation.

While Americans may not be familiar with Coolpad, the Chinese company is the sixth-largest smartphone maker in the world, a reach on par with Sony. Only Lenovo and Xiaomi make more smartphones for Chinese customers. So far, the backdoor has only been spotted on ROMs for Chinese and Taiwanese customers. Coolpad does sell the Quattro 4G through MetroPCS as well as the Quattro II 4G and Flo through other prepaid carriers.

How did Coolpad manage to silently download adware on consumer devices? Well, in a way that made them fairly likely to get caught. Early on, the APK file in question was called CP_DMP.apk. According to Palo Alto Networks' report, Coolpad updated the app when reports of malicious behavior by CP_DMP.apk accumulated. This update included changing the filename to GoogleGmsFramework.apk. Yes, that is the same filename as the Google Play Services framework.

coolpadads

Image by Liuhua Fang demonstrating the advertisements in push notifications

While the app has no user interface, it could be visible to users from its battery usage. At least, it would be if Coolpad didn't have it appear as "Android System" in the battery stats menu. Coolpad also customized the system's package manager to keep the backdoor from showing up in the list of installed apps. It isn't surprising that Coolpad modified the pre-installed antivirus program to be sure it missed their own malware, either.

OEM-customized ROMs often give the manufacturer privileges somewhat like these. What isn't common is for the company to abuse those abilities by installing adware on consumer devices. Also, responding to customer complaints about the malware by having the backdoor imitate a legitimate Google app is beyond the scope of reasonable behavior.

Android software, by and large, is not noteworthy for its ability to protect users from unwanted advertisements. We are talking about Google, after all. Still, this a step across the line, even if the name "CoolReaper" is a bit of an overstatement.

Source: Palo Alto Networks PR