Coolpad ROMs carried CoolReaper backdoor

CoolReaper was not a vague privacy concern. Unit 42 found it in stock ROMs for many Coolpad Android phones, signed with Coolpad certificates and paired with Android OS changes that hid the backdoor from users and security tools.

The backdoor could download, install, and activate Android apps without user consent. It could clear user data, uninstall or disable apps, send or insert SMS and MMS messages, dial numbers, show fake OTA updates, and upload device location, app usage, call, and SMS history.

The implementation also changed the user-visible trust model. Because CoolReaper was signed with vendor certificates and supported by ROM-level changes, the affected phones treated the backdoor as part of the platform rather than as a removable third-party app.

Palo Alto Networks concluded that Coolpad created and installed the backdoor. That makes this a vendor-deliberate inclusion record rather than a third-party compromise, but it still fits the archive's hardware/software trust boundary: the device arrived with hidden code in the vendor ROM.

Motive

Data Collection Ad Fraud

Attribution

Company

Cause

Vendor Deliberate Inclusion

Transitive

No

Actor

Coolpad

Actor Country

China

User Impact

10000000

• CoolReaper Revealed: A Backdoor in Coolpad Android Devicesunit42.paloaltonetworks.com
• Backdoor Found in Android Phones Manufactured by Coolpadsecurityweek.com