This Accidental App Inside OnePlus Smartphones Can Allow A Hacker To Fully Control The Devices
The app was meant to be a factory testing system and should have been wiped prior to sales.
There might be a serious problem on the horizon for OnePlus users. An app developer has discovered that it¡¯s possible to breach some of the company¡¯s smartphones and root them, without ever even unlocking the bootloader. All because OnePlus accidentally left an internal app in the phone¡¯s UI.
The app is called ¡®Engineering Mode¡¯, developed by Qualcomm and subsequently customised by OnePlus for use in their own phones. It¡¯s an app solely used for factory testing and should never have been removed before the devices left the factory. Unfortunately, it remained pre-installed in the OnePlus 3, OnePlus 3T, and the OnePlus 5.
¡ª Elliot Alderson (@fs0c131y) November 13, 2017
Hey @OnePlus! I don't think this EngineerMode APK must be in an user build...??¡á?
This app is a system app made by @Qualcomm and customised by @OnePlus. It's used by the operator in the factory to test the devices. pic.twitter.com/lCV5euYiO6
Consequently, the developer that tweeted the warning realised that initiating one of the app¡¯s functions with the correct password grants root privileges to the person in control. This password was easy enough to obtain with the aid of a few cybersecurity experts.
Basically, it means an attacker can get into your OnePlus smartphone with a password not under your control, and pretty much do whatever he/she wants. OnePlus co-founder Carl Pei has since tweeted saying the company has taken note of the issue and is investigating.
Hopefully it won¡¯t be too long before the company can roll out a patch to hotfix the loophole. In the meantime, there¡¯s not much else you can do except sit tight.
