Recently ZTE acknowledged the existence of a vulnerability in its ZTE Score M, a barebones, inexpensive Android 2.3.4 (Gingerbread) smartphone available for $99 in the U.S. through MetroPCS.
This backdoor is an ELF (executable and linkable format) file under /system/bin/ named “sync_agent”. It has a default “setuid” permission which, after it launches, has the ability to set itself as root.
Basically, a backdoor hole apparently built into the phone by ZTE allows anyone with the hard-coded password used to access it can take over Score M model phones—and worse, that password was published online by the anonymous pastebin poster who first identified the backdoor hole last week.
How to remove the backdoor from ZTE’s Score M smartphone :
1. Run the backdoor on an adb shell: /system/bin/sync_agent ztex1609523
2. To check which device your /system dir has mounted, use the command: mount. There should be a print out like below, note the device name underlined in red:
- ZTE Score M Scores a Backdoor
3. Remount the system partition as RW with command: mount –o remount,rw /your/device/name /system.
4. Remove the backdoor from the system with command: rm /system/bin/sync_agent.
5. Terminate the backdoor with ctrl+c.
Trend Micro researcher Weichao Sun has published a set of instructions for removing the backdoor from the device.
