zte logo

A few months ago, the American mobile phone service provider MetroPCS launched, together with ZTE – the Chinese handset manufacturer – an affordable, entry level Android phone called the ZTE Score M. This Android 2.3.4 (Gingerbread) comes with a variety of features like a 3.5-inch HVGA touchscreen, a 600MHz CPU, a 3.2-megapixel camera,  Wi-Fi, 4GB of internal memory, a microSD slot. Oh yeah, and a root backdoor!

Thanks to an anonymous post to Pastebin, details have now emerged that the device has a setuid-root binary (a program that runs with root privileges) in /system/bin/sync_agent that serves no function other than to provide a root shell backdoor. If you know the hard-coded password (ztex1609523) then you get unlimited root access to the phone.

It has also been confirmed that the ZTE Skate, which is sold by Orange in the U.K., has the same backdoor. Security researchers are scrambling to see if other ZTE devices suffer from the same security vulnerability.

But… Don’t Panic! The ZTE Score M and the ZTE Skate aren’t the best selling phones on the market and so the number of actual users affected is small.

Reactions on the Internet are varied. In response to an unofficial quote that ZTE will fix the problem one user wrote, “That’s like finding a camera in your shower and your landlord saying sorry about that, I’ll fix it soon.” While another added that “it’s a massive security hole.” However they did offer a solution, “it would also be fairly easy to fix. Use the backdoor to get root, delete the backdoor, close the shell, done.”

Do you own a ZTE Score M or a ZTE Skate? Does this revelation worry you? Or do you think it is a storm in a tea cup? Let us known by leaving a comment below.

Gary Sims
Gary has been a tech writer for over a decade and specializes in open source systems. He has a Bachelor's degree in Business Information Systems. He has many years of experience in system design and development as well as system administration, system security and networking protocols. He also knows several programming languages, as he was previously a software engineer for 10 years.