Are ZTE shipping some Android devices with a root 'back door'?

[Guest PaulOBrien]

Are ZTE shipping some Android devices with a root 'back door'? It certainly appears that way based on a tip given anonymously to @TeamAndIRC and verified by some of our readers!



The tip, which originally was given to TeamAndIRC via pastebin, read:

The ZTE Score M is an Android 2.3.4 (Gingerbread) phone available in the United States on MetroPCS, made by Chinese telecom ZTE Corporation.



There is a setuid-root application at /system/bin/sync_agent that serves no function besides providing a root shell backdoor on the device.  Just give the magic, hard-coded password to get a root shell:



$ sync_agent ztex1609523

# id

uid=0(root) gid=0(root)



Nice backdoor, ZTE.

A bit of a security hole for sure! MoDaCo member TheDeadCpu confirmed that this method is working not just on the device mentioned but on a WWE spec ZTE Skate too. The file doesn't however appear to be present in my old Orange San Francisco ROM, nor in a San Francisco II ROM, so it may be limited to specific devices.



We've reached out to ZTE for comment (and will update here as soon as possible) but, well, it doesn't instil confidence does it...?



Click here to view the item

[Guest hecatae]

not found on zte tureis

[Guest Stuart_f]

Given how shockingly poor ZTE's ability to exercise version control over their source code has been proven to be this really doesn't surprise me.

It's probably some intern's code that shipped because they didn't know it was there.

Fail, pure fail.

[Guest Christian Edwards]

Can this backdoor be exploited remotely or only if you have the device?

Sorry if it a bit of a noob question but had a Skate and now have the G300 which also has a big security hole.