High quality global journalism requires investment. Please share this article with others using the link below, do not cut & paste the article. See our Ts&Cs and Copyright Policy for more detail. Email email@example.com to buy additional rights. http://www.ft.com/cms/s/0/77843ec2-bd5f-11e4-b523-00144feab7de.html#ixzz3SzdZG1cE
February 26, 2015 2:45 am
Last updated: February 19, 2015 7:00 pm
Smartphones from a major Chinese manufacturer have a security flaw that was deliberately introduced and allows hackers full control of the device.
The “CoolReaper” backdoor was found in the software that powers at least 24 models made by Coolpad, which is now the world’s sixth-biggest smartphone producer according to Canalys.
The flaw allows hackers or Coolpad itself to download and install any software onto the phones without the user’s permission.
“The operator can simply uninstall or disable all security applications in user devices, install additional malware, steal information and inject content into the users device in multiple ways,” according to a report on the malware by security firm Palo Alto Networks (Pan).
Researchers say all signs point to the Chinese government
A fake smartphone app is being used to remotely monitor pro-democracy protesters in Hong Kong, according to a report from the New York Times. Researchers from Lacoon Mobile Security say the phishing scam is spreading across the messaging application WhatsApp, through texts that read: “Check out this Android app designed by Code4HK for the coordination of OCCUPY CENTRAL!”, along with a link to download software. Lacoon says the software, once downloaded, can access a user’s personal data, including phone calls, text messages, and the physical location of their smartphone. Code4HK — a developer community that has helped to spread information about the protests — tells the Times it had nothing to do with the texts.
The origin of the scam remains unknown, but Lacoon CEO Michael Shaulov says the Chinese government is likely behind it, given the location of the servers and the sophistication of the operation. The company traced it to a computer that they say is similar to those that the Chinese government allegedly used to launch cyberattacks against US targets last year. The spread of the app remains equally unclear, though Shaulov says it was downloaded by one out of every ten phones that received the fake message. It has affected both Android and iOS users alike, although many in the security world have noted that only jailbroken iOS phones are vulnerable.