Leak in management software gave hacker remote access to Coolpad smartphones

A tool that Coolpad said was only intended for “internal testing” contained a leak, which could have allowed attackers to take over millions of Coolpad smartphones. The tool would have accidentally been in device firmwares.

Among other things, the tool can update applications on the phone, call random numbers, send fake text messages and open URLs remotely. As a result, thanks to the leak, it was theoretically possible to extract data from the smartphone and take over the devices completely. The leak was reported on Nov. 20 by a Chinese hacker on a Chinese responsible disclosure site, but has only now come to the attention of a report by security firm Palo Alto Networks on the subject. The leak does not appear to have been fixed yet, despite Coolpad confirming the leak last month.

The tool, which Palo Alto Networks named CoolReaper, is intended for internal use, according to a Coolpad spokesperson, reports the Chinese news site Aqnui. That statement does not seem conclusive: last year various users of Coolpad smartphones received advertisements as a notification via the system. The tool is not included in every Coolpad smartphone firmware, so it does not appear to be a necessary or standard part of the firmware.

All manufacturers have test tools for internal use, with which they have extensive access on smartphones. Manufacturers also have systems on models sold to consumers to be able to push over-the-air updates, for example, and to be able to read remotely where problems may have gone wrong. The way Coolpad does this, namely with the option of not letting the user know, is unusual.

Coolpad ships its devices almost exclusively in China, where it may have sold millions of devices with the CoolReaper tool in the firmware, according to Palo Alto Networks. It is unknown how many users still have the tool in their firmware. Coolpad is the sixth largest smartphone maker in the world.