CoolReaper, The 'Accidental' Revenue-Generating Bug

It is not every day that your phone manufacturer spams you with unwanted pop over ads and installs potentially unwanted applications onto the phone. Advertising or software installed on behalf of games providers hoping to be the next Angry Birds is potentially the order of the day.

This is not behavior one would see from tier one providers such as Google, Apple, Samsung, et al. Tier one providers do occasionally bundle games onto the handset in the hope that a percentage of those users will play a game or buy the app, netting the vendor a commission. That's where the additional income stream ends.

In this case, however, it seems that a hole was intentionally created by Coolpad (a Chinese phone manufacturer) in the Android firmware. This hole was used to push the content onto phones. Lawsuits would be flowing thick and fast in just about any Western nation against a phone manufacturer that did this.

In China, however, the situation is slightly different. It is not only one of the largest countries by population (1.1 billion in 2012), but it's also not yet at its saturation point in terms of phone sales -- which stand at a mere 980 million handsets. That may sound like a lot, but in the West, a ratio of three phones to a single user is not unusual. China also has much weaker privacy laws, and prosecutions are rare.

Given the fact that China is a huge untapped market, providers are under pressure to provide rock bottom prices for phones. To get market share, some vendors sell units below cost. They have to make for that somehow. It's simple economics. Coolpad is well known in China and has millions of users, which means that the potential install base is therefore very lucrative for potential forced installations.

These below-cost phones are subsidized by advertising revenue. Although classified as a bug in the operating system by the vendor, there is overwhelming evidence that this backdoor was intentional and was being used to push the potentially unwanted content onto devices. This stance is further supported by the fact that after the issue was first exposed, the vendor merely buried the hole deeper and changed some of the API-related infrastructure.

To put it into context, even if each install paid a tenth of a cent per installation or pop over, that's a lot of money when it's done several million times at next to no cost.

But that is not the end of the story. User data such as search details, contacts and such are very marketable. There is no proof that data has been harvested, but in the pursuit of profit, it is not hard to imagine such a scenario.

Coolpad has admitted to this "bug," dubbed "CoolReaper," and has insisted it was only for internal testing purposes. The company has made no formal statement beyond saying that it will fix the issue with the utmost priority.

Follow us @tomshardware, on Facebook and on Google+.

  • Christopher1
    Well, I am certain that this is a 'bug' that was intentional. That said, if Coolpad had been HONEST about the fact that this was there and the purposes it could be used for, it might not even come up on my radar.
    I get more pissed royally when a manufacturer does this intentionally and then refuses to admit that they did this intentionally when it is exposed.
  • Au_equus
    That article linking the population is actually the # of cell phone users in China, which is still the most populous country at 1.3 billion according to the 2010 census (India, 2011 census, has 1.2 billion)