How to remove the backdoor from ZTE’s Score M smartphone

Recently ZTE acknowledged the existence of a vulnerability in its  ZTE Score M, a barebones, inexpensive Android 2.3.4 (Gingerbread) smartphone available for $99 in the U.S. through MetroPCS.

This backdoor is an ELF (executable and linkable format) file under /system/bin/ named “sync_agent”. It has a default “setuid” permission which, after it launches, has the ability to set itself as root.

Basically, a backdoor hole apparently built into the phone by ZTE allows anyone with the hard-coded password used to access it can take over Score M model phones—and worse, that password was published online by the anonymous pastebin poster who first identified the backdoor hole last week.

How to remove the backdoor from ZTE’s Score M smartphone :

1. Run the backdoor on an adb shell: /system/bin/sync_agent ztex1609523
2. To check which device your /system dir has mounted, use the command: mount. There should be a print out like below, note the device name underlined in red:

How to remove Backdoor Vulnerability from iPhone
ZTE Score M Scores a Backdoor

3. Remount the system partition as RW with command: mount –o remount,rw /your/device/name /system.
4. Remove the backdoor from the system with command: rm /system/bin/sync_agent.
5. Terminate the backdoor with ctrl+c.

Trend Micro researcher Weichao Sun has published a set of instructions for removing the backdoor from the device.

); ga('send', 'pageview');