UPDATE–An Android handset produced by Chinese manufacturer ZTE has a backdoor installed that could enable an attacker to take control of an affected device remotely and run arbitrary code. The manufacturer has acknowledged the issue in the ZTE Score M, which includes a harcoded password, and says that it plans to push out a fix soon.
The affected phones are sold by carrier MetroPCS and are not among the more widely deployed handsets in the U.S. However, security researchers say that the backdoor is a serious issue, as it was included without users’ knowledge and can be used by the carrier and others to run code on the phone.
“This is definitely a serious issue on the two phones confirmed to be affected, because a malicious application could use this backdoor to gain root privileges on the device and subsequently perform unauthorized actions such as stealing and exfiltrating user data. That being said, the issue appears to only affect a very small number of devices, and evidence points to this being an inept engineering decision rather than a covert mechanism for spying, since several MetroPCS applications on the phone make use of this backdoor for installing and uninstalling MetroPCS applications,” security researcher Dan Rosenberg said.
ZTE is a Chinese manufacturer that supplies handsets, tablets and other products to a variety of companies around the world. The Score M Android phones are sold by MetroPCS in the United States and the existence of the backdoor in the devices first came to light last week in a posting on Pastebin.
“The ZTE Score M is an Android 2.3.4 (Gingerbread) phone available in the United States on MetroPCS, made by Chinese telecom ZTE Corporation. There is a setuid-root application at /system/bin/sync_agent that serves no function besides providing a root shell backdoor on the device. Just give the magic, hard-coded password to get a root shell,” the anonymous post said.
There have been a number of other controversies in recent years regarding backdoors, surreptitiously installed agents and other remote-control apps on a variety of handsets. The most recent and best-known is the Carrier IQ dustup, in which the company was accused of using its agent, which is installed on millions of handsets, to silently log data on user actions, including keystrokes and SMS activity. However, security researchers who analyzed the software said that the agent was not doing any of that, but was collecting a lot of metrics on how the phones are used.
“In response to reports of a ‘backdoor’ issue with the ZTE Score M and ZTE Skate handsets, ZTE has identified a technical defect that exposes ZTE Score M units sold in the United States to potential third-party exploitation. ZTE takes customer privacy very seriously and makes every effort to ensure personal data is safe from unauthorized access. ZTE is actively working on an update patch and expects to send the update over-the-air to affected users before May 31, 2012. ZTE is providing all relevant customer support possible in this isolated incident. We would encourage affected users to download and install the patch as soon as it is rolled out to the affected device,” the company said in a statement. “In addition, no such ‘backdoor’ issue exists with the ZTE Skate (and variants) smartphone.”
This article was updated on May 18 to include ZTE’s statement.
