This article is more than 1 year old

CoolReaper pre-installed malware creates backdoor on Chinese Androids

This a lot worse than just bloatware, say analysts

Security researchers have discovered a backdoor in Android devices sold by Coolpad, a Chinese smartphone manufacturer.

The “CoolReaper” vuln has exposed over 10 million users to potential malicious activity. Palo Alto Networks reckons the malware was “installed and maintained by Coolpad despite objections from customers”.

It's common for device manufacturers to install software on top of Google’s Android mobile operating system to provide additional functionality or to customise Android devices. Some mobile carriers install applications that gather data on device performance. But CoolReaper operates well beyond the collection of basic usage data, acting as a true backdoor into Coolpad devices - according to Palo Alto.

CoolReaper has been identified on 24 phone models sold by Coolpad.

“We expect Android manufacturers to pre-install software onto devices that provide features and keep their applications up to date,” said Ryan Olson, Intelligence Director, Unit 42, Palo Alto Networks. “But the CoolReaper backdoor detailed in this report goes well beyond what users might expect, giving Coolpad complete control over the affected devices, hiding the software from antivirus programs, and leaving users unprotected from malicious attackers. We urge the millions of Coolpad users who may be impacted by CoolReaper to inspect their devices for presence of the backdoor and to take measures to protect their data.”

CoolReaper is capable of a variety of unfriendly actions including the ability to download, install, or activate any Android application without user consent or notification. It can also clear user data, uninstall existing applications, or disable system applications.

Worse yet the malware can push a fake over-the-air (OTA) update that doesn’t update the device, but installs unwanted applications.

It can also send or insert arbitrary SMS or MMS messages into the phone or dial arbitrary phone numbers.

Finally CoolReaper can upload information about the device, its location, application usage, calling and SMS history to a Coolpad server.

Palo Alto’s Unit 42 research arm began investigating what came to be known as CoolReaper following numerous complaints from Coolpad customers in China posted to internet message boards. In November, a researcher working with identified a vulnerability in the back-end control system for CoolReaper, which made clear how Coolpad itself controls the backdoor in the software. Chinese news site,, reported some details about the backdoor in late November.

Coolpad did not respond to multiple requests for assistance by Palo Alto Networks. The Chinese firm is yet to respond to requests for comment from El Reg. We’ll update this story as and when we hear more.

More details on Palo Alto’s research into CoolReaper can be found in a blog post here and CoolReaper: The Coolpad Backdoor a new report from Unit 42 written by Claud Xiao and Ryan Olson. The report contains a list of files to check for in Coolpad devices that may indicate the presence of the CoolReaper backdoor. ®

More about


Send us news

Other stories you might like