Friday, 24 November, 2017

OnePlus accused of leaving a backdoor to give root access

OnePlus 5 Security OnePlus accused of leaving a backdoor to give root access
Sherri Watson | 14 November, 2017, 23:36

The app in question is EngineerMode APK, and it has been developed by Qualcomm for the device manufacturers to test hardware components.

The app can diagnose Global Positioning System, check the root status, perform a series of automated tests, and more. They are able to gain root if they have a password to bypass privilege escalation checks.

On Tuesday, developer Elliot Alderson tweeted that OnePlus has left behind an app that can act as a backdoor to get root access to a device without unlocking it. Having root access essentially means the user has complete control over the device, including privileged control over features that would otherwise be locked up. Furthermore, there was a hint to an "AngelaRoot" mode embedded in the APK itself. The application was present on several models of OnePlus devices including OnePlus 3, OnePlus 3T and OnePlus 5.

This would potentially allow attackers to compromise a device with very little effort, gaining the ability to insert trackers or other malicious pieces of software.

For owners of OnePlus devices who are curious to learn if the Engineer Mode app is installed on their device, it is possible to find the app by going to Settings, opening the Apps menu, tapping Menu, and Show System apps.

Earlier, according to a post on Christopher Moore's blog, OnePlus is collecting sensitive private data like IMEI numbers, mobile network names and IMSI prefixes, MAC addresses, and more. Between this and previously aggressive data collection, it looks like OnePlus hasn't been paying particularly close attention to security or privacy on its devices. But it also serves as a warning to OnePlus to be particularly careful with the software it leaves on its future phones after they roll off the production line.