OnePlus left EngineerMode APK in end user OxygenOS builds, easily rootable

OnePlus 5, OnePlus 3T, OnePlus 3 and even some OnePlus One units are vulnerable to root without the need to unlock the bootloader. This is thanks to a Qualcomm system-side app and OnePlus’s decision to leave it in the custody of end users. And it looks to be an issue on the OnePlus 5T as well.

The story begins with a developer posting under the pseudonym of Elliot Alderson, the name of the central character from “Mr. Robot.”

He was able to find a system app named EngineerMode that is actually a Qualcomm factory app with the ability to toggle components such as the charging chip, GPS, NFC and others — as this app shouldn’t be included in consumer-side ROMs, it’s a target app that malicious actors will want to crack into.

With simple ADB script, users can run the application and dig into a diagnostic activity. They are able to gain root if they have a password to bypass privilege escalation checks.

Through some digging into the the device’s cyrptographic library, research firm NowSecure was able to attain the password “angela” — perhaps a reference to the Angela Moss character in “Mr. Robot.” Furthermore, there was a hint to an “AngelaRoot” mode embedded in the APK itself.

A clue as to the OnePlus backdoor password

The app has been found in previous OnePlus phones with OxygenOS installed — those still on CyanogenOS with the OnePlus One apparently don’t see it.

While the EngineerMode APK can be customized per manufacturer, the so-called “Alderson” also claims to be able to tap into ASUS, Xiaomi and the yet-to-be-released OnePlus 5T.

OnePlus co-founder Carl Pei acknowledged the issue, but the company has yet to fully address the backdoor. Qualcomm has not said anything, either.

Share This Post

Watch the Latest Pocketnow Videos

About The Author
Jules Wang
Jules Wang is News Editor for Pocketnow and one of the hosts of the Pocketnow Weekly Podcast. He came onto the team in 2014 as an intern editing and producing videos and the podcast while he was studying journalism at Emerson College. He graduated the year after and entered into his current position at Pocketnow, full-time.