Security Flaw Found in ZTE Android Phones
The backdoor appears to be intended to enable ZTE and MetroPCS to install and uninstall Android apps.
Chinese smartphone maker ZTE recently acknowledged the existence of a backdoor in its Score M phone, after a hacker posted information on the vulnerability on Pastebin. "There is a setuid-root application at /system/bin/sync_agent that serves no function besides providing a root shell backdoor on the device. ... Nice backdoor, ZTE," the post states.
"It's the sort of route into a device that manufacturers would use in development, and it's not clear if it was accidentally left in or not, although at least one researcher says that it's being used by ZTE and MetroPCS to install and uninstall apps," writes The Verge's Aaron Souppouris.
"ZTE said it had confirmed the vulnerability on the Score phone, but denied it affected other models," write Reuters' Jeremy Wagstaff and Lee Chyen Yee. "'ZTE is actively working on a security patch and expects to send the update over-the-air to affected users in the very near future,' ZTE said in an emailed statement. 'We strongly urge affected users to download and install the patch as soon as it is rolled out to their devices.'"
"Though the Score M isn't the most popular handset on the market by far, the security setback doesn't bode well for ZTE," notes CNET News' Lynn La. "The Chinese manufacturing company is the fourth largest cell phone vendor in the world, but its presence in this country is small. Despite a consistent effort to crack the U.S. market, handset companies from China, like ZTE and Huawei, are often plagued by rumors and skepticism that connect them with the Chinese government."
In an interview with PCMag.com's Damon Poeter, CrowdStrike co-founder Dmitri Alperovitch called the backdoor a "perverted way" to handle the installing and uninstalling of apps. "There are legitimate and Google-supported APIs for doing the same thing that don't introduce any security risk to the phone," Alperovitch said. "So it is unclear whether this was introduced due to sheer incompetence on the part of ZTE developers or has a second more malicious purpose."