CoolReaper pre-installed malware creates backdoor on Chinese Androids

This a lot worse than just bloatware, say analysts

Security researchers have discovered a backdoor in Android devices sold by Coolpad, a Chinese smartphone manufacturer.

The “CoolReaper” vuln has exposed over 10 million users to potential malicious activity. Palo Alto Networks reckons the malware was “installed and maintained by Coolpad despite objections from customers”.

It's common for device manufacturers to install software on top of Google’s Android mobile operating system to provide additional functionality or to customise Android devices. Some mobile carriers install applications that gather data on device performance. But CoolReaper operates well beyond the collection of basic usage data, acting as a true backdoor into Coolpad devices - according to Palo Alto.

CoolReaper has been identified on 24 phone models sold by Coolpad.

“We expect Android manufacturers to pre-install software onto devices that provide features and keep their applications up to date,” said Ryan Olson, Intelligence Director, Unit 42, Palo Alto Networks. “But the CoolReaper backdoor detailed in this report goes well beyond what users might expect, giving Coolpad complete control over the affected devices, hiding the software from antivirus programs, and leaving users unprotected from malicious attackers. We urge the millions of Coolpad users who may be impacted by CoolReaper to inspect their devices for presence of the backdoor and to take measures to protect their data.”

CoolReaper is capable of a variety of unfriendly actions including the ability to download, install, or activate any Android application without user consent or notification. It can also clear user data, uninstall existing applications, or disable system applications.

Worse yet the malware can push a fake over-the-air (OTA) update that doesn’t update the device, but installs unwanted applications.

It can also send or insert arbitrary SMS or MMS messages into the phone or dial arbitrary phone numbers.

Finally CoolReaper can upload information about the device, its location, application usage, calling and SMS history to a Coolpad server.

Palo Alto’s Unit 42 research arm began investigating what came to be known as CoolReaper following numerous complaints from Coolpad customers in China posted to internet message boards. In November, a researcher working with identified a vulnerability in the back-end control system for CoolReaper, which made clear how Coolpad itself controls the backdoor in the software. Chinese news site,, reported some details about the backdoor in late November.

Coolpad did not respond to multiple requests for assistance by Palo Alto Networks. The Chinese firm is yet to respond to requests for comment from El Reg. We’ll update this story as and when we hear more.

More details on Palo Alto’s research into CoolReaper can be found in a blog post here and CoolReaper: The Coolpad Backdoor a new report from Unit 42 written by Claud Xiao and Ryan Olson. The report contains a list of files to check for in Coolpad devices that may indicate the presence of the CoolReaper backdoor. ®

Similar topics

Other stories you might like

  • It's primed and full of fuel, the James Webb Space Telescope is ready to be packed up prior to launch

    Fingers crossed the telescope will finally take to space on 22 December

    Engineers have finished pumping the James Webb Space Telescope with fuel, and are now preparing to carefully place the folded instrument inside the top of a rocket, expected to blast off later this month.

    “Propellant tanks were filled separately with 79.5 [liters] of dinitrogen tetroxide oxidiser and 159 [liters of] hydrazine,” the European Space Agency confirmed on Monday. “Oxidiser improves the burn efficiency of the hydrazine fuel.” The fuelling process took ten days and finished on 3 December.

    All eyes are on the JWST as it enters the last leg of its journey to space; astronomers have been waiting for this moment since development for the world’s largest space telescope began in 1996.

    Continue reading
  • China to upgrade mainstream RISC-V chips every six months

    Home-baked silicon is the way forward

    China is gut punching Moore's Law and the roughly one-year cadence for major chip releases adopted by the Intel, AMD, Nvidia and others.

    The government-backed Chinese Academy of Sciences, which is developing open-source RISC-V performance processor, says it will release major design upgrades every six months. CAS is hoping that the accelerated release of chip designs will build up momentum and support for its open-source project.

    RISC-V is based on an open-source instruction architecture, and is royalty free, meaning companies can adopt designs without paying licensing fees.

    Continue reading
  • The SEC is investigating whistleblower claims that Tesla was reckless as its solar panels go up in smoke

    Tens of thousands of homeowners and hundreds of businesses were at risk, lawsuit claims

    The Securities and Exchange Commission has launched an investigation into whether Tesla failed to tell investors and customers about the fire risks of its faulty solar panels.

    Whistleblower and ex-employee, Steven Henkes, accused the company of flouting safety issues in a complaint with the SEC in 2019. He filed a freedom of information request to regulators and asked to see records relating to the case in September, earlier this year. An SEC official declined to hand over documents, and confirmed its probe into the company is still in progress.

    “We have confirmed with Division of Enforcement staff that the investigation from which you seek records is still active and ongoing," a letter from the SEC said in a reply to Henkes’ request, according to Reuters. Active SEC complaints and investigations are typically confidential. “The SEC does not comment on the existence or nonexistence of a possible investigation,” a spokesperson from the regulatory agency told The Register.

    Continue reading

Biting the hand that feeds IT © 1998–2021