Another terrible news for OnePlus users.
Just over a month after OnePlus was caught collecting personally identifiable information on its users, the Chinese smartphone company has been found leaving a backdoor on almost all OnePlus handsets.
A Twitter user, who goes by the name “Elliot Anderson” (named after Mr. Robot’s main character), discovered a backdoor (an exploit) in all OnePlus devices running OxygenOS in which could allow anyone to obtain root access to the devices.
The application in question is usually “EngineerMode,” a diagnostic testing application made by Qualcomm for device manufacturers to easily test all hardware components of the device.
This kind of APK comes pre-installed (accidentally left behind) on most OnePlus devices, including OnePlus 2, 3, 3T, in addition to the newly-launched OnePlus 5. We can confirm its existence on the OnePlus 2, 3 in addition to 5.
You can also check if This kind of application is usually installed on your OnePlus device or not. with This kind of, simply go to settings, open apps, enable show system apps coming from top right corner menu (three dots) in addition to search for EngineerMode.APK inside the list.
If This kind of’s there, anyone with physical access to your device can exploit EngineerMode to gain root access on your smartphone.
EngineerMode has been designed to diagnose issues with GPS, check the root status of the device, perform a series of automated ‘production line’ tests, in addition to many more.
After decompiling the EngineerMod APK, the Twitter user found ‘DiagEnabled’ activity, which if opened having a specific password (This kind of is usually “Angela”, found after reverse engineering) allows users to gain full root access on the smartphone—without even unlocking the bootloader.
Although the chance of This kind of application already being exploited inside the wild is usually probably low, This kind of seems to be a serious security concern for OnePlus users as root access can be achieved by anyone using a simple command.
Moreover, with root access in hands, an attacker can perform lots of dangerous tasks on victim’s OnePlus phone, including stealthy installing sophisticated spying malware, which is usually difficult to detect or remove.
Meanwhile, in order to protect themselves in addition to their devices, OnePlus owners can simply disable root on their phones. To do so, run following command on ADB shell:
“setprop persist.sys.adb.engineermode 0” in addition to “setprop persist.sys.adbroot 0” or call code *#8011#
In response to This kind of issue, OnePlus co-founder Carl Pei said in which the company is usually looking into the matter.
The Twitter user has promised to Discharge a one-click rooting app for OnePlus devices using This kind of exploit. We will update the article as soon as This kind of is usually available.