The backdoor can be easily used to gain instant root access with a password that has been hard-coded into the software.
Android devices typically ship with the user unable to run commands as the “root user“, in order to protect customers from any inadvertent damage they could cause, and to reduce the chance of rogue applications taking complete control of the device. However, following an anonymous post to Pastebin, security researchers have found that ZTE has installed an application on the Score M and the Skate mobile phones, which make rooting these phones simple.
The post said:
There is a setuid-root [set user ID upon execution] application at /system/bin/sync_agent that serves no function besides providing a root shell backdoor on the device. Just give the magic, hard-coded password to get a root shell.
The phone is available in the US and the UK, amongst other markets. While no telco in Australia appears to be selling the Score M or Skate mobile phones outright, it is still possible to purchase it online or through smaller firms. ZTE has offices in Sydney and Melbourne, and is a supplier of a large number of Telstra mobile phones, typically rebranded as Telstra’s own T- and F-series mobile phones. Telstra is aware of the issue, and is in the process of testing its devices, to determine if the backdoor exists on them.
“Our preliminary tests suggest that handsets supplied to Telstra are unaffected by this issue. That said, we take device security very seriously, and we are conducting more extensive testing to confirm our initial findings. Should we discover any issues, we will contact customers directly,” Telstra said in a statement.
ZTE is also the company behind the Optus-branded MyTab tablet, which runs Android.
Former McAfee threat research vice president Dmitri Alperovitch is a security researcher that has independently verified the original claim, posting the password to the hidden application on Twitter.
There are also a number of reports from users on Reddit, some who said that there does not appear to be any way of remotely accessing the backdoor.
However, other users have pointed out that if the hacker wrote another application to access the backdoor, it would be a trivial matter to first root the device and then take complete control.