Some OnePlus devices, if not all, come preinstalled with an application named EngineerMode that can be used to root the device and may be converted into a fully-fledged backdoor by clever attackers.
The app was discovered by a mobile security researcher who goes online by the pseudonym of Elliot Alderson — the name of the main character in the Mr. Robot TV series.
Speaking to Bleeping Computer, the researcher said he started investigating OnePlus devices after a story he saw online last month detailing a hidden stream of telemetry data sent by OnePlus devices to the company's servers.
The researcher, who also owns a OnePlus 5 device, started investigating the company's OS by first looking at the source code of OpDeviceManager, the app that was responsible for the telemetry collection.
"As expected OPDeviceManager does pretty nasty things, so I continued to dig into the OnePlus apps," the researcher said.
"After a while, I found this EngineerMode app. It was just a question of time before I found something interesting in it," Alderson said.
According to a series of tweets the researcher has published online yesterday evening, the EngineerMode app can perform a series of intrusive hardware diagnosis tests, but can also check for root status, diagnose the GPS function, and more.
Hey @OnePlus! I don't think this EngineerMode APK must be in an user build...— Elliot Alderson (@fs0c131y) November 13, 2017
This app is a system app made by @Qualcomm and customised by @OnePlus. It's used by the operator in the factory to test the devices. pic.twitter.com/lCV5euYiO6
All the functions included in the EngineerMode app are the features you'd find in a diagnosis app that OnePlus engineers use to test phones before they are shipped out.
A plausible scenario is that OnePlus engineers accidentally installed a version of their custom Android operating system (OxygenOS) designed for in-factory use on devices that it shipped to customers.
While mistakes happen at every company, Alderson says OnePlus' error has catastrophic consequences.
The researcher says that an attacker with physical access to a phone can run the following command to root the device.
adb shell am start -n com.android .engineeringmode/.qualcomm.DiagEnabled --es "CODE" "PASSWORD" , where CODE = code and PASSWORD = angela
Several other researchers have successfully confirmed and reproduced Alderson's findings.
"We don't have a PoC yet, but it's a question of time," the researcher told Bleeping Computer. "We will release one as soon as we have something stable."
"There is more to come," the researcher told Bleeping Computer. "OnePlus firmware is full of debug apps which must be removed. I will publish more things on Twitter soon."
OnePlus users can test if they're device comes with the EngineerMode app by entering the *#808# SSID, which should bring up the app's interface. If the app is installed on their device, they should visit their phone's Apps section and remove it. Some users have also found the EngineerMode app in phones manufactured by Motorola, Xiaomi, and Lenovo.
OnePlus has not responded to a request for comment from Bleeping Computer in time for this article's publication. On Twitter, OnePlus CEO Carl Pei thanked the researcher and said his company is looking into the issue.
Besides the issue with hidden user telemetry collection, cyber-security firm Aleph Research also discovered that some OnePlus devices are vulnerable to OS downgrade attacks.
UPDATE: OnePlus admitted its mistake and said it will remove the EngineerMode app from users' devices in a future update.