OnePlus left EngineerMode APK in end user OxygenOS builds, easily rootable
OnePlus 5, OnePlus 3T, OnePlus 3 and even some OnePlus One units are vulnerable to root without the need to unlock the bootloader. This is thanks to a Qualcomm system-side app and OnePlus’s decision to leave it in the custody of end users. And it looks to be an issue on the OnePlus 5T as well.
The story begins with a developer posting under the pseudonym of Elliot Alderson, the name of the central character from “Mr. Robot.”
<Thread> Hey @OnePlus! I don’t think this EngineerMode APK must be in an user build…🤦♂️
This app is a system app made by @Qualcomm and customised by @OnePlus. It’s used by the operator in the factory to test the devices. pic.twitter.com/lCV5euYiO6
— Elliot Alderson (@fs0c131y) November 13, 2017
He was able to find a system app named EngineerMode that is actually a Qualcomm factory app with the ability to toggle components such as the charging chip, GPS, NFC and others — as this app shouldn’t be included in consumer-side ROMs, it’s a target app that malicious actors will want to crack into.
With simple ADB script, users can run the application and dig into a diagnostic activity. They are able to gain root if they have a password to bypass privilege escalation checks.
Through some digging into the the device’s cyrptographic library, research firm NowSecure was able to attain the password “angela” — perhaps a reference to the Angela Moss character in “Mr. Robot.” Furthermore, there was a hint to an “AngelaRoot” mode embedded in the APK itself.
The app has been found in previous OnePlus phones with OxygenOS installed — those still on CyanogenOS with the OnePlus One apparently don’t see it.
Additional information, I am still using Cyanogen OS. Not Oxygen OS.
— Yunus (@amyunusmas) November 14, 2017
While the EngineerMode APK can be customized per manufacturer, the so-called “Alderson” also claims to be able to tap into ASUS, Xiaomi and the yet-to-be-released OnePlus 5T.
OnePlus co-founder Carl Pei acknowledged the issue, but the company has yet to fully address the backdoor. Qualcomm has not said anything, either.
Thanks for the heads up, we’re looking into it.
— Carl Pei (@getpeid) November 13, 2017