OnePlus Security Troubles Mount As Root Access Backdoor Discovered In Preinstalled App
OnePlus is catching heat from its customers yet again, this time for the discovery of a pre-installed application found on several of its handsets that could allow an attacker to gain root access. The application is a diagnostics tool called "EngineerMode" that Qualcomm developed and distributes to OEMs like OnePlus so they can test the hardware components of a device. However, it is not intended to stay on handsets once they ship to consumers.
The presence of Qualcomm's app was discovered by Twitter user Elliot Anderson. After bringing it to attention, security outfit NowSecure reverse engineered it and found that it could easily be exploited with a simple ADB command to enable a backdoor into devices that have the application installed.
"Using this shell command triggers the diagnostic mode (or backdoor) and grants future ADB sessions root access, even after the device is rebooted," NowSecure stated in a blog post.
<Thread> Hey @OnePlus! I don't think this EngineerMode APK must be in an user build...🤦♂️— Elliot Alderson (@fs0c131y) November 13, 2017
This app is a system app made by @Qualcomm and customised by @OnePlus. It's used by the operator in the factory to test the devices. pic.twitter.com/lCV5euYiO6
It is a little more involved in that, as NowSecure had to disassemble the EngineerMode APK in order to ultimately dig up and decrypt the password that is used to enable diagnostic mode. But the team proved it can be done without a whole lot effort, which in turn leaves a lot of OnePlus devices vulnerable.
The application is found on all OnePlus 3, OnePlus 3T, and OnePlus 5 devices, and is easily accessible through any activity launcher. This is another black eye for OnePlus, which was recently criticized for not being transparent about data collection in OxygenOS. Once it came to light that OnePlus was collecting telephone numbers, MAC addresses, and Wi-Fi information, the Internet community was outraged, prompting OnePlus to promise it would stop collecting such data, and be more transparent about its data collection policies in the future.