A detailed piece of code discovered by security researchers has been making the rounds across the internet that confirms that three of ZTE’s own Android phones and possibly more are being shipped with a backdoor that would theoretically allow any knowledgeable developer root access to the filesystem on the affected phones and consequently, allow the same access to malware disguised as legitimate applications that are often found within and outside of Google Play. The two models sold that are affected so far are the Score M and the European Skate.
The backdoor has also raised legitimate concerns about ZTE’s own competence in regards to shipping devices with such a backdoor. While it makes rooting the devices easier for modders and developers for tinkering and additional device development, it is not just a mere coincidence that these devices are being shipped out and being actively sold on carriers without any acknowledgement. ZTE has yet to officially release a response to the evidence presented.
What makes it so effective is that it uses a hardcoded and easily deciphered password that can work on all devices and is not device-specific, being more of a universal password to gain root access to every device affected and as many people do not look at the permissions for what each app requests when downloading apps to an affected phone, downloading the wrong app could spell trouble. The actual discovery as found on Pastebin is pasted below for context:
The ZTE Score M is an Android 2.3.4 (Gingerbread) phone available in the United States on MetroPCS, made by Chinese telecom ZTE Corporation.
There is a setuid-root application at /system/bin/sync_agent that serves no function besides providing a root shell backdoor on the device. Just give the magic, hard-coded password to get a root shell:
$ sync_agent ztex1609523
Nice backdoor, ZTE.
Since the revelation was first discovered, the backdoor has also been discovered on European ZTE handsets, as the ZTE Skate sold by the UK branch of the French carrier Orange is also affected, with more research being done to see if other units are affected.
[via XDA Developers]