Chinese Android Phones May Have Built-In Backdoor

News
By published

The Coolpad, one of China's favorite brands of Android smartphone, may be compromised from the moment it comes off the shelf.

The Coolpad Flo Android phone.

The Coolpad Flo Android phone.

Bad news for China: Some of the country's favorite Android phones may be compromised from the moment they come off the shelf. Many models of Coolpad phones, which is big in China and Southeast Asia and is sold to North American customers in online stores, may contain a backdoor known as "Coolreaper," which can let attackers hijack the device from top to bottom.

The information comes from Santa Clara, California-based Unit 42, a subdivision of Palo Alto Networks, which focuses on online security. Unit 42 released a lengthy report on the Coolreaper phenomenon and explained how the backdoor can exploit consumers, both in China and overseas, even if they take all the right security precautions with their phones.

MORE: 100+ Tech Gift Ideas for the Holidays

As described in the report, Unit 42 discovered that many Coolpad phones sold in China came with the Coolreaper backdoor pre-installed. If hackers take advantage of this flaw (and it's very easy to do), they can download and install whatever software they choose, erase user data, send and receive text messages, make phone calls and copy any and all information on the phone to a remote server.

The bad news is that the flaw does not appear isolated to one particular model of phone, meaning that Coolreaper is very much a systemic vulnerability. As such, Unit 42 theorizes that Coolreaper may have been developed by Coolpad itself, and may be using it to fleece its customers. Why Coolpad would want to jeopardize its reputation like that is anyone's guess.

If you own a Coolpad phone, your best bet may be to wipe the existing Android build and replace it with the stock Android OS straight from Google — or sell it to someone who will.

Because Coolreaper exists in the most fundamental levels of the phone's operating system, it's extremely hard to get rid of otherwise. Even if you do, there's nothing preventing Coolreaper using data it's already acquired from you to install new malware on your device to continue monitoring you.

In June of this year, a different brand of Chinese-made Android phone was found to be pre-loaded with spyware, and a month later, a brand of Chinese-made commercial-inventory barcode scanners were as well. As always, be careful what you store on your phone and run an antivirus sweep now and then.

Marshall Honorof is a Staff Writer for Tom's Guide. Contact him at mhonorof@tomsguide.com. Follow him @marshallhonorof. Follow us @tomsguide, on Facebook and on Google+.

See more Phones News
TOPICS
Marshall Honorof
Marshall Honorof

Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi. 

Latest in Android Phones
CAD renders of the Google Pixel 10
Pixel 10 could include a repurposed ‘Pixie’ assistant — but what actually happened?
Galaxy S25 Edge dummy unit from side angle
Samsung Galaxy S25 Edge design just shown off on video from every angle with seemingly accurate dummies
Google Pixel 9a next to Galaxy A56
Google Pixel 9a vs. Samsung Galaxy A56: Which sub-$500 phone should you get?
Samsung Galaxy Z Flip 6 review.
Samsung Galaxy Z Flip 7 design just teased in new cases leak — and the outer display is huge
Samsung Galaxy Z Flip 6 review.
Galaxy Z Flip 7 could finally fix the one thing that has prevented me from using Samsung’s flip phones
Motorola Razr Plus 2024 cover display
Motorola Razr Plus (2025) leaked specs hint at bigger upgrades — here's what we know
Latest in News
NYTimes Connections
NYT Connections today hints and answers — Thursday, March 27 (#655)
The Signal app logo displayed on an iPhone, with a screenshot of the Signal app in use displayed on a monitor in the background.
Signal — everything you need to know about the app at the center of the group chat scandal
Robert Downey Jr. revealed as Doctor Doom for "Avengers: Doomsday"
Marvel reveals 'Avengers: Doomsday' casting — the latest updates and every actor
Wyze Cam v3
Wyze adds AI-powered filter to its security cameras to cut down on notifications that are “no big deal”
Mark Grayson (Steven Yeun) as Invincible in his blue suit during a scene from "Invincible" season 3 on Prime Video.
'Invincible' season 4 release window just announced — here's when it's coming
Microsoft Copilot app running on a phone with Microsoft logo in background
Microsoft 365 Copilot debuts new research tools for work: here's what that means
More about android phones
Galaxy S25 Edge dummy unit from side angle

Samsung Galaxy S25 Edge design just shown off on video from every angle with seemingly accurate dummies
CAD renders of the Google Pixel 10

Pixel 10 could include a repurposed ‘Pixie’ assistant — but what actually happened?
Emily (Blake LIvely), Dante (Michele Morrone), Vicky (Alex Newell) and Stephanie (Anna Kendrick) in "Another Simple Favor" coming soon to Prime Video

5 biggest Prime Video shows and movies I can’t wait to watch in spring 2025
See more latest
3 Comments Comment from the forums
  • JOEYFROM CHINA
    Yet another reason to go with Apple.
    Reply
  • mohnam
    Yet another reason not to buy a Chinese phone.
    Reply
  • tiatnn
    Xiaomi was caught red handed stealing personal info, photos, etc. some time ago. Why isn't anyone giving two cents about that matter?
    Reply
Most Popular
Emily (Blake LIvely), Dante (Michele Morrone), Vicky (Alex Newell) and Stephanie (Anna Kendrick) in "Another Simple Favor" coming soon to Prime Video
5 biggest Prime Video shows and movies I can’t wait to watch in spring 2025
Disney Plus logo
New on Disney Plus in April 2025 — all the new must-watch movies and shows
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #389 (Thursday, March 27 2025)
NYTimes Connections
NYT Connections today hints and answers — Thursday, March 27 (#655)
Mark Grayson (Steven Yeun) as Invincible in his blue suit during a scene from "Invincible" season 3 on Prime Video.
'Invincible' season 4 release window just announced — here's when it's coming
The Signal app logo displayed on an iPhone, with a screenshot of the Signal app in use displayed on a monitor in the background.
Signal — everything you need to know about the app at the center of the group chat scandal
Microsoft Copilot app running on a phone with Microsoft logo in background
Microsoft 365 Copilot debuts new research tools for work: here's what that means
Wyze Cam v3
Wyze adds AI-powered filter to its security cameras to cut down on notifications that are “no big deal”
Bella Ramsey and Isabela Merced in The Last of Us season 2
'The Last of Us' season 2 episode 1 title and runtime revealed
Robert Downey Jr. revealed as Doctor Doom for "Avengers: Doomsday"
Marvel reveals 'Avengers: Doomsday' casting — the latest updates and every actor