Chinese handset maker ZTE has confirmed a vulnerability on one of its Android-based smartphones it sells in the United State that can be exploited to completely take over the device, Reuters reported Friday.
The vulnerability exists on the ZTE Score M, a barebones, inexpensive Android 2.3.4 (Gingerbread) smartphone available for $99 in the U.S. through MetroPCS. Basically, a backdoor hole apparently built into the phone by ZTE allows anyone with the hard-coded password used to access it can take over Score M model phones—and worse, that password was published online by the anonymous pastebin poster who first identified the backdoor hole last week.
The anonymous tipster described the vulnerability as "a setuid-root application at /system/bin/sync_agent that serves no function besides providing a root shell backdoor on the device. Just give the magic, hard-coded password to get a root shell."
ZTE told Reuters that it is working on a fix.
"ZTE is actively working on a security patch and expects to send the update over-the-air to affected users in the very near future," the company told the news agency. "We strongly urge affected users to download and install the patch as soon as it is rolled out to their devices."
Dmitri Alperovitch, co-founder and chief technology officer of security firm CrowdStrike, described the existence of the backdoor as "highly unusual" in an interview with Reuters. Alperovitch, who also spoke with PCMag on Friday, questioned why such a vulnerability would exist in the first place.
He said CrowdStrike researchers had determined that ZTE is pushing software updates through the backdoor but noted that this was a highly unorthodox method for doing so.
"The backdoor on the phone is used by ZTE to install/uninstall various apps on the phone, but that is a perverted way to accomplish this task. There are legitimate and Google-supported APIs for doing the same thing that don't introduce any security risk to the phone," Alperovitch told PCMag. "So it is unclear whether this was introduced due to sheer incompetence on the part of ZTE developers or has a second more malicious purpose."
Indeed, Reuters drew attention to security concerns U.S. authorities have expressed about China-based computer manufacturers in recent months, though those concerns have generally had more to do with back-end equipment security than with consumer devices like the ZTE Score M.
Alperovitch told the news agency that whatever's going on with the backdoor on the Score M, it's not something he or his team have ever come across on a smartphone or handset.
"I have never seen this before. There are rumors about backdoors in Chinese equipment floating around," he said. "That's why it's so shocking to see it blatantly on a device."
For more from Damon, follow him on Twitter @dpoeter.
