Millions of mobile phones sold by China-based maker Coolpad have a so-called backdoor that opens devices to possible malicious attacks, a U.S. security firm revealed in a research paper.

Palo Alto Networks said a comprehensive analysis by its Unit 42 showed the backdoor, named "CoolReaper," apparently operates beyond gathering basic usage data.

Like Us on Facebook

The paper revealed Coolpad also apparently changed a version of the Android OS to make it much harder for antivirus applications to detect the backdoor.

CoolReaper has built in an ability that enables Coolpad to update and install apps to devices, begin services and disable apps, call numbers and send texts -- all without the consent and knowledge of mobile users, research revealed.

The paper said CoolReaper exists in 24 Coolpad phone models, which means a potential impact on over 10 million users based on publicly disclosed Coolpad sales data.

So far, Palo Alto Networks said the backdoor has been tapped to deliver unsolicited ads and to install unauthorized apps.

Coolpad is one of China's biggest original device manufacturers and sells smart phones with several brand names such as Halo. It was the fifth biggest phone maker in China in the third quarter and has started selling mobiles to Southeast Asia, Taiwan, western Europe and the US.

Palto Alto followed leads from complaints posted online by Coolpad mobile users in China and Taiwan. The firm checked ROM updates that Coolpad posted on its Web site and found signs of CoolReaper.

Apparent signs that Coolpad created the backdoor, said the research paper, included the program's command-and-control servers, which are domains registered to the Chinese company and tapped for its public cloud.

Palo Alto Networks warned any backdoor can be abused, either by its creator or someone who can access it. With a weakness in Coolpad's control system and possible other flaws in the code, experts said others may tap into the CoolReaper console and take control of mobiles, or install malicious software on devices.