Chinese phone maker OnePlus is accused of leaving a debugging app on its phones capable of giving adversaries root access to the devices. The applicat
Chinese phone maker OnePlus is accused of leaving a debugging app on its phones capable of giving adversaries root access to the devices. The application in question is called EngineerMode and is made by Qualcomm.
An anonymous researcher who goes by the handle Elliot Alderson, a character in the TV drama Mr. Robot, discovered the tool that he said could act as a “backdoor” by adversaries to access data on devices.
In an interview with Threatpost, the researcher said he examined the latest firmware for the OnePlus 5 handset downloaded from the company’s website. After that analysis, he determined the preinstalled EngineerMode app could allow root level control of devices running the firmware (oneplus_5_oxygenos_4.5.14). Additionally, the EngineerMode app could also be used by a hacker who was able to obtain physical access to the device.
Qualcomm did not return requests for comment for this article. However, sources familiar with the application said that the app is widely used on Android phones, but only supposed to be used by a phone maker’s pre-development team and must be removed in advance of a device’s sale. OnePlus mistakenly left this diagnostic app on the phone, they said.
OnePlus, the Shenzhen, China-based smartphone manufacturer, did not return repeated email requests for comment for this article. However, OnePlus co-founder Carl Pei commented via Twitter that he thanked the anonymous researcher and said his company would investigate.
Thanks for the heads up, we’re looking into it.
— Carl Pei (@getpeid) November 13, 2017
OnePlus, a midmarket Android phone maker, was founded in 2013. In a 2015 report, OnePlus stated it has sold 1.5 million smartphones across 36 countries. It’s unclear what the company’s market share in North America is, but according to the company’s website, it is launching its OnePlus 5T model phone Thursday at an event in Brooklyn, New York.
“If you have physical access to the device, you just have to plug the phone into the computer and send the intent,” the anonymous researcher said. “You have ABD root access and you can do what you want. You can request things like ‘pull /data/data/’, which dumps all app data from the phone to an attacker.”
ABD is shorthand for Android Debug Bridge, which is a tool for developers to work out bugs within their Android applications. It requires a connection between a PC and an Android device and allows a developer to use PC command lines to manipulate the device and apps.
Researchers at mobile app security firm NowSecure looked into the anonymous researcher’s claims and independently confirmed the existence of the EngineerMode app with its own research.
“At this time, the (app) is most useful to an attacker with physical access to a OnePlus device or an owner looking to root their own device,” according to a write-up of the backdoor posted Tuesday by the NowSecure Mobile Threat Research Team.
NowSecure researchers said that OnePlus created a customized version of the Android OS called OxygenOS and that the EngineerMode app is a diagnostic app developed by Qualcomm for pre-deployment device testing of the OxygenOS operating system.
“What seems especially careless is OnePlus leaving behind a system-signed .apk and a native library with a SHA256 hash of the password that was easily reversed,” researchers wrote.
“With the password, the EngineerMode app enables a debugging mode that is generally only needed for development of the device and grants full root privileges on the device via a simple ADB command or potentially by installing an APK from the Play Store,” NowSecure wrote.
“Using (a specific) shell command triggers the diagnostic mode (or backdoor) and grants future ADB sessions root access, even after the device is rebooted,” researcher wrote.
According to NowSecure affected devices include OnePlus 3 (OxygenOS 4.5.1, build number ONEPLUS A3003_16_171012) and OnePlus 5 (OxygenOS 4.5.14, build number ONEPLUSA5000_23_171031).