Phones from Chinese maker Coolpad Group Ltd. have been found to have a backdoor manufactured into them.

A report from Palo Alto Networks Inc.’s Unit 42 found that the phones, popular in China and Taiwan but sold globally, contained a backdoor dubbed “CoolReaper” that exposes users to potentially malicious activity.

The researches found that the backdoor can:

• Download, install, or activate any Android application without user consent or notification
• Clear user data, uninstall existing applications, or disable system applications
• Notify users of a fake Over-the-air (OTA) update that doesn’t update the device, but installs unwanted applications
• Send or insert arbitrary SMS or MMS messages into the phone
• Dial arbitrary phone numbers
• Upload information about device, its location, application usage, calling and
• SMS history to a Coolpad server

The implementation of the backdoor was found to be intentional with Coolpad modifying the Android OS to specifically hide the CoolReaper components from the user and other applications, specifically antivirus programs.

To make matters considerably worse, the research found that the backdoor is being actively exploited: Coolpad users in China have complained that their phones are installing unwanted applications and receiving push-notification advertisements. Complaints to date have been ignored and/ or deleted by Coolpad.

Coolpad may not be a well known name in the West, but it’s currently the worlds 6th largest mobile phone manufacturer with a global market share of 3.7% according to IDC. The company is listed on the Hong Kong stock exchange with a current market cap of HK$7,042 million ($908 million.)

Three of its phones are currently available in the United States: the Coolpad Quattro 4G (Coolpad 5860E), Coolpad Flo and Coolpad Quattro II, and are sold by T-Mobile US Inc.’s subsidiary MetroPCS Communications, Inc.

The company had made no comment on the allegations at the time of writing.