UPDATE Chinese phone maker OnePlus is accused of leaving a debugging app on its phones capable of giving adversaries root access to the devices. The application in question is called EngineerMode and is made by Qualcomm.
An anonymous researcher who goes by the handle Elliot Alderson, a character in the TV drama Mr. Robot, discovered the tool that he said could act as a “backdoor” by adversaries to access data on devices.
In an interview with Threatpost, the researcher said he examined the latest firmware for the OnePlus 5 handset downloaded from the company’s website. After that analysis, he determined the preinstalled EngineerMode app could allow root level control of devices running the firmware (oneplus_5_oxygenos_4.5.14). Additionally, the EngineerMode app could also be used by a hacker who was able to obtain physical access to the device.
Qualcomm declined to comment, only stating to Threatpost it was investigating the matter. However, sources familiar with the application said that the app is widely used on Android phones, but only supposed to be used by a phone maker’s pre-development team and must be removed in advance of a device’s sale. OnePlus mistakenly left this diagnostic app on the phone, they said.
Originally OnePlus, the Shenzhen, China-based smartphone manufacturer, did not return repeated email requests for comment for this article. However, OnePlus co-founder Carl Pei commented via Twitter that he thanked the anonymous researcher and said his company would investigate.
https://twitter.com/getpeid/status/930197107255992321?ref_src=twsrc%5Etfw
Subsequently, OnePlus has released a statement Tuesday afternoon addressing security concerns:
“We received a lot of questions regarding an apk found in several devices, including our own, named EngineerMode, and we would like to explain what it is. EngineerMode is a diagnostic tool mainly used for factory production line functionality testing and after sales support.
We’ve seen several statements by community developers that are worried because this apk grants root privileges. While, it can enable adb root which provides privileges for adb commands, it will not let 3rd-party apps access full root privileges. Additionally, adb root is only accessible if USB debugging, which is off by default, is turned on, and any sort of root access would still require physical access to your device.
While we don’t see this as a major security issue, we understand that users may still have concerns and therefore we will remove the adb root function from EngineerMode in an upcoming OTA.”
OnePlus, a midmarket Android phone maker, was founded in 2013. In a 2015 report, OnePlus stated it has sold 1.5 million smartphones across 36 countries. It’s unclear what the company’s market share in North America is, but according to the company’s website, it is launching its OnePlus 5T model phone Thursday at an event in Brooklyn, New York.
“If you have physical access to the device, you just have to plug the phone into the computer and send the intent,” the anonymous researcher said. “You have ADB root access and you can do what you want. You can request things like ‘pull /data/data/’, which dumps all app data from the phone to an attacker.”
ADB is shorthand for Android Debug Bridge, which is a tool for developers to work out bugs within their Android applications. It requires a connection between a PC and an Android device and allows a developer to use PC command lines to manipulate the device and apps.
Researchers at mobile app security firm NowSecure looked into the anonymous researcher’s claims and independently confirmed the existence of the EngineerMode app with its own research.
“At this time, the (app) is most useful to an attacker with physical access to a OnePlus device or an owner looking to root their own device,” according to a write-up of the backdoor posted Tuesday by the NowSecure Mobile Threat Research Team.
NowSecure researchers said that OnePlus created a customized version of the Android OS called OxygenOS and that the EngineerMode app is a diagnostic app developed by Qualcomm for pre-deployment device testing of the OxygenOS operating system.
“What seems especially careless is OnePlus leaving behind a system-signed .apk and a native library with a SHA256 hash of the password that was easily reversed,” researchers wrote.
“With the password, the EngineerMode app enables a debugging mode that is generally only needed for development of the device and grants full root privileges on the device via a simple ADB command or potentially by installing an APK from the Play Store,” NowSecure wrote.
“Using (a specific) shell command triggers the diagnostic mode (or backdoor) and grants future ADB sessions root access, even after the device is rebooted,” researcher wrote.
According to NowSecure affected devices include OnePlus 3 (OxygenOS 4.5.1, build number ONEPLUS A3003_16_171012) and OnePlus 5 (OxygenOS 4.5.14, build number ONEPLUSA5000_23_171031).
(This article has been updated to include a statement by phone maker OnePlus at 5 pm ET on 11/14/17)