Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×
Android China Security

Manufacturer's Backdoor Found On Popular Chinese Android Smartphone 82

Trailrunner7 writes that researchers at Palo Alto Networks have found a backdoor in Android devices sold by Coolpad. "A popular Android smartphone sold primarily in China and Taiwan but also available worldwide, contains a backdoor from the manufacturer that is being used to push pop-up advertisements and install apps without users' consent. The Coolpad devices, however, are ripe for much more malicious abuse, researchers at Palo Alto Networks said today, especially after the discovery of a vulnerability in the backend management interface that exposed the backdoor's control system. Ryan Olson, intelligence director at Palo Alto, said the CoolReaper backdoor not only connects to a number of command and control servers, but is also capable of downloading, installing and activating any Android application without the user's permission. It also sends phony over-the-air updates to devices that instead install applications without notifying the user. The backdoor can also be used to dial phone numbers, send SMS and MMS messages, and upload device and usage information to Coolpad."
This discussion has been archived. No new comments can be posted.

Manufacturer's Backdoor Found On Popular Chinese Android Smartphone

Comments Filter:
  • buy cheap ... (Score:3, Insightful)

    by Anonymous Coward on Wednesday December 17, 2014 @04:00PM (#48620145)

    ... get what you pay for

    • by Anonymous Coward

      Buy your Android devices directly from the Google play store.

      Anything cheaper will come with pre-loaded malware that will complicate everything and steal from you.

    • Yes, pay way more and get a flagship android or iOS based device, where you are completely insulated from malicious attacks.
  • by Anonymous Coward on Wednesday December 17, 2014 @04:04PM (#48620193)

    Its just lies and propaganda, there is no backdoor in Coolpads.

    [sent from my Coolpad]

  • by Russ1642 ( 1087959 ) on Wednesday December 17, 2014 @04:06PM (#48620215)

    Pretty sure that both the iOS and Android systems can do this out of the box, they just have chosen not to. There's also the old Kindle deleting 1984 incident.

    • by ArcadeMan ( 2766669 ) on Wednesday December 17, 2014 @04:09PM (#48620243)

      As far as I know, Apple can disable software remotely for security reasons but iOS itself cannot install software without asking the user.

      • Re: (Score:2, Interesting)

        by davidwr ( 791652 )

        Apple can disable software remotely for security reasons but iOS itself cannot install software without asking the user.

        Unless Apple disables the software that prevents iOS from installing software without the user. This function would only be used for security reasons of course.

        • Unless Apple disables the software that prevents iOS from installing software without the user. This function would only be used for security reasons of course.

          It all depends on your definition of "can". Apple could theoretically do _anything_ with your iOS device. Some things would be detectable, some wouldn't, some would be illegal, most would be pointless to do for Apple and would be damaging to business if found out, which is a very good reason not to do it.

          Apple _can_ install apps remotely without asking you, and it actually happens if you buy an app on one phone, and you have set up the other phone to automatically install purchased apps. Well, technicall

      • ...but iOS itself cannot install software without asking the user.

        Can't you install an app on an iPhone by only through iTunes on a PC?

        If so, then yes, iOS supports remote installs.

      • by rtb61 ( 674572 )

        'Erm' yeah right, apparently you live in a happy delusional world. All the manufacturers can quite readily install software without the users permissions by the simply expedient of piggy backing the install of the software they want to install on any software or update that you attempt to install from websites they control. They only thing you can do to prevent it, is never update and never install an application from their servers. They can of course also force you to upgrade by purposefully breaking the

    • Pretty sure that both the iOS and Android systems can do this out of the box, they just have chosen not to. There's also the old Kindle deleting 1984 incident.

      If you bring up 1984 as an example, then you have to bring up U2.

      • If you bring up 1984 as an example, then you have to bring up U2.

        No I don't. You can if you want though.

  • by Tester ( 591 ) <olivier...crete@@@ocrete...ca> on Wednesday December 17, 2014 @04:08PM (#48620235) Homepage

    I though they were describing Google Play Services, which I understand call do all of those things. Except obivously, that Google is not evil..

    • Google is clearly evil. what kind of kool-aid are you consuming? ..
      oohhhhh!

      • by Anonymous Coward

        But if you buy pure android devices directly from Google, you *only* have to deal with Google's evil, and not the additional evil of the manufacturer.

        And the additional evil will always be worse. Google, though evil, has direct incentives to keep its devices secure. The tracking data they get on you is more valuable to them if only they have it. Your perception of the security of their devices is also more valuable to them than what they could gain by installing backdoors.

        For example, a while back a Moto

    • Tester (591)

      Wow, don't see those very often. Good to see old-timers still around.

      So, which do you prefer, Intellivision or ColecoVision? :)

      • by PRMan ( 959735 )
        The sports games and original games were better on Intellivision, but arcade ports rocked on Coleco...
        • Ah.. really classic gaming.

          The Colecovision baseball that had the specific controllers was a lot of fun.. until we learned the pitch that was a strike but couldn't be hit. Then games became a challenge of who could continue to pitch that exact pitch without making a mistake.

          Man the intellivision had some great games though... B-17 bomber was awesome with the voice module. Tron Deadly Discs was a marathon game if there ever was one. My friend was the best at TDD and could play for hours until it finally

      • by Enry ( 630 )

        Space War

      • by jlv ( 5619 )
        I'm going to hit you with my modem.
        • by davidwr ( 791652 )

          I'm going to hit you with my modem.

          300 baud or DSL?

          I have both and it's easy to mix the two up especially if you have one of those last-century DSL modems with the DB9 or DB25 serial connector.

          They have about the same usefulness when used to hit people with.

          On some days, they both seem to transfer data at about the same speed. :P

          • 300 baud or DSL?

            I have both and it's easy to mix the two up especially if you have one of those last-century DSL modems with the DB9 or DB25 serial connector.

            They have about the same usefulness when used to hit people with.

            One with a handset cradle, still in it's suitcase, from when slashdot was on uunet with a broken G protocol. It's *much* more useful than a crappy DSL modem to hit people.

        • Modem? Damn whippersnapper! Get off my lawn!

          • Modem? Luxury! In my day, we had to touch the phone line to our tongues to sense the voltage drops, then key the data in manually to our analog computers with a cat's whisker we yanked out of our oatmeal box radios!
        • by hey! ( 33014 )

          ISDN, so technically not a modem....

          • by BancBoy ( 578080 )
            It Still Does Nothing
          • ISDN, so technically not a modem....

            Technically it is a modem (modulator/demodulator), because data is still transferred via the copper lines, and signal has to be modulated and demodulated at each end. In fact all the network equipment are basically modems, because data has to be modulated (by amplitude, frequency, phase) at the one end to go through the wires and demodulated at the receiving end. This also goes for the wireless equipment.

      • by CaTfiSh ( 724 )

        I'm easy to please, PONG FTW!

      • I don't remember the last time I saw so many members of the 3-digit club in one not-too-long (yet) sub-thread, but it was probably in Bush the 43rd's first term.

  • Disgusting! (Score:5, Funny)

    by fuzzyfuzzyfungus ( 1223518 ) on Wednesday December 17, 2014 @04:08PM (#48620237) Journal
    It's repulsive the sort of tactics that commie chinamen will stoop to, putting backdoors into their products like that. Why, here in America, those are 'features' that you consent to by opening the package, as documented on page 46 of the EULA, as interpreted in mandatory binding arbitration by the company's legal team! It must suck to live in such a benighted, unfree, country, where your cellphone is probably spying on you and may well come preloaded with malware [carrieriq.com]...
  • Harumph! Harumph! (I didn't get a Harumph from that guy.....Harumph!)
    Verizon and AT&T laugh at your puny "backdoor" and limited scope of abuse available through it.
    Why, they opened up their ENTIRE NETWORK to the NSA/CIA/DIA/FBI/any local podunk sheriffs office.
    USA! USA! USA!
    We are STILL Number One!

  • that no one will care and people will continue to buy their products? They might be right, and if so it's a bigger slam on the market than it is on the company. Makes you wonder if the executives actually coolly weighed the risk of discovery vs potential profits.
  • by fhage ( 596871 ) on Wednesday December 17, 2014 @05:44PM (#48621257)
    I have a Sony BDR-S3100 which grabs an IP address even when it's off. It also frequently updates itself without notification when off, leaving new movie trailers and unfamiliar and unwanted Apps in its menu. Each time it does this, (about every 2 weeks) I have to re-enter all my account login information. There's no way to disable these automatic updates. Sony CS has no solution. In addition, I've discovered when the user starts an App, like Netflix, the player first contacts Sony servers before actually running the app. When their servers are down, the player can't run the Netflix App.

    Devices now own us. I miss the days when I had control over my devices.

    • by Anonymous Coward

      Yes you have control, don't buy it, specially Sony!

    • by vux984 ( 928602 )

      Sony CS has no solution.

      Whereas I have 3:

      1) Return it and replace it with something better
      2) Firewall it so it can't access the internet over your router. When you actually need/want to update it, its trivial to disable the rule for a few minutes.

      3) disconnect it from the network. if its wired this couldn't be simpler. If its wireless its may be a little more tedius to forget and resetup the wifi each time -- in which case maybe #2 above is the better solution.

      But really -- #1 is the correct solution.

      • That would work if you don't want to use Netflix on the BD player. GP says when network/Sony's server's are down apps don't work on the BD player...

        • by vux984 ( 928602 )

          Yeah, the netflix angle breaks things and really just highlights just how terrible a player it is.

          Expect a lot more of this with "Internet of Things".

          I for one am not interested in any of that crap.

    • by almondo ( 145555 ) on Wednesday December 17, 2014 @10:52PM (#48622887) Homepage

      I'd say sue Sony but their lawyers are a bit busy right now.

    • by DeVilla ( 4563 )

      Devices now own us. I miss the days when I had control over my devices.

      I don't have all the neat devices everyone else buys, but I own the ones I buy. I blame people like you for making it more difficult.

    • by Gaygirlie ( 1657131 ) <gaygirlie@@@hotmail...com> on Thursday December 18, 2014 @02:16AM (#48623735) Homepage

      Have you checked if it uses HTTP or HTTPS for its traffic? If it's just plain-old HTTP you could redirect the traffic to Sony's servers to a server of your own instead and always just reply with "everything is ok, no updates available, please continue." That's what I've done to several apps and appliances, thereby removing myself from their prying eyes and granting me access to things even when manufacturer's servers are unavailable.

  • by Anonymous Coward

    From RealVNC press release:
    "27th February 2012: RealVNC’s remote access technology has been integrated in Sony Mobile Communication’s Android based Xperia smartphones, enabling them to connect to vehicle infotainment systems so that drivers can access their smartphone applications safely from the dashboard display. The technology can also be used in customer support services by helpdesk agents to provide better support to Xperia users."

  • How is this different than the Uber app AT&T just installed on my phone as part of a software update?
  • News at 11!
  • The Neo900 looks even more attractive.

  • This is why you don't buy shady things from China directly. There's a reason why coolpad's products aren't on the US export list.

A man is not complete until he is married -- then he is finished.

Working...