News: Another Security Concern from OnePlus — Backdoor Root App Comes Preinstalled on Millions of Phones

Another Security Concern from OnePlus — Backdoor Root App Comes Preinstalled on Millions of Phones

After recently being in the news for collecting PII (personally identifiable information) for analytics and after-sales support, OnePlus has another security problem. An individual going by the name Elliot Alderson discovered an app in OnePlus devices that can enable root access with one command.

Although we as Android users aspire to root our devices, we are aware of the risk that rooting provides. With an app that simplifies the process, millions of devices are now vulnerable.

Rooting provides system access to Android devices. By accessing the root folder, users can make changes that would otherwise be impossible without this privilege. However, this same privilege could be used by another individual to conduct a particularly nasty attack on your device.

The same level of control that you may use harmlessly can be used to extract PII, listen to conversations, and many other attacks that could harm you financially. With an app simplifying this process, anyone within physical access to your device (or even remote access using malware) can exploit this backdoor.

The app is called EngineerMode and was designed by Qualcomm to perform tests before deploying phones out to the public. OEMs are expected to remove this app once the testing is completed due to this vulnerability.

The app can perform a number of tests including diagnosing sensors, checking root status, and providing root access without unlocking the bootloader.

Therein lies the problem: Android has security mechanisms in place to ensure that once a phone's bootloader is unlocked to enable root using traditional methods, all data is automatically wiped. But since this app can grant root without unlocking the bootloader, another app that exploited this backdoor could bypass these security mechanisms and theoretically access all of your existing data.

Elliot Alderson, upon discovering the application, speculated that it could be used to root devices by finding a simple password. The NowSecure Research Team answered the call and learned the password that enables this simple root method OnePlus devices. To root a device, the DiagEnabled function must be launched from the app. This function has a method called escalatedUp which, when given the correct password, will root devices.

By inputting the following command using ADB, you can root your device:

adb shell am start -n --es "code" "angela"

Once entered, ADB will disconnect and restart. Once you re-enter ADB, you will find that your device is rooted — with no superuser management tool like SuperSU to dole out root access, and more importantly, to deny root access to certain apps.

Update 1: More Devices Found with EngineerMode

It looks like this application has been discovered on other devices. Since it's a Qualcomm application, any device using a Qualcomm SoC could potentially still have this APK installed.

According to Alderson, devices from Xiaomi, Motorola, and ASUS have been found with this app on consumer models. To see if the app is on your device, navigate to the "Apps" menu in Settings, then tap the three-dot menu button in the upper-right corner (or along the bottom of the screen) and select "Show System processes." From there, if you see an app called "EngineerMode," your device is vulnerable to this exploit.

OnePlus's Carl Pei has replied to Elliot Alderson, stating "Thanks for the heads up, we're looking into it," indicating a future update will remove this system app. Hopefully, a complete list of affected devices will emerge so other OEMs will also send out a fix.

In the meantime, according to Alderson, the upcoming OnePlus 5T will have the same app preinstalled. Hopefully, OnePlus can get to the bottom of this soon.

Update 2: OnePlus Responds

Well that was fast. OnePlus staff member OmegaHsu posted on the OnePlus forum Monday night addressing the issue.

In the post, OmegaHsu explains that, although EngineerMode can potentially root the device via ADB commands, third parties cannot trigger the exploit to acquire root privileges. An app cannot send ADB commands from within Android, so EngineeringMode theoretically shouldn't be susceptible to malware attacks like the recently discovered Toast Overlay bug.

The process would also need USB debugging to be enabled in the phone's settings, which is disabled by default and would require physical access to enable. OmegaHsu further explains that, due to customer concern, ADB root commands will be removed from EngineerMode in a coming OTA, although the company does not see ADB root as a security threat.

So, what do you think? With the OnePlus 5T announcing in a few days, does this latest security problem make you reconsider the device? Let us know in the comments below. Stay tuned to Gadget Hacks for more updates on this story.

Hot Deal: Set up a secure second phone number and keep your real contact details hidden with a yearly subscription to Hushed Private Phone Line for Android/iOS, 83%–91% off. It's a perfect second-line solution for making calls and sending texts related to work, dating, Craigslist sales, and other scenarios where you wouldn't want to give out your primary phone number.

Cover image and screenshots by Jennifer Welsh/Gadget Hacks

Be the First to Comment

Share Your Thoughts

  • Hot
  • Latest