A security researcher has found a second factory app that was included on OnePlus devices delivered to customers, and this one can be abused to dump the user's photos and videos, but also GPS, WiFi, Bluetooth, and various other logs.
Discovered by a mobile security researcher who goes online by the pseudonym of Elliot Alderson —the name of the main character in the Mr. Robot TV series— this app's name is OnePlusLogKit and is an application that comes preinstalled on OnePlus devices, also running with system privileges.
The same security researcher found a similar OnePlus factory app yesterday. That app, named EngineerMode, allowed a user or malicious threat actor to root devices.
According to a series of tweets and screenshots of the app's source code the researcher published online today, this second app has the ability to enable logging of various phone services, logs which it saves on the phone's SD card.
Hi @Oneplus ! Remember me? Let's talk about another debug app you left in your device.— Elliot Alderson (@fs0c131y) November 15, 2017
OnePlusLogKit is a system application which allow you to do a multitude of things: get wifi logs, nfc logs, gps logs pic.twitter.com/HvnErm8rXg
This is a big security issue, Alderson told Bleeping Computer in a private conversation. An attacker can enable the logging behavior in three ways and then steal the collected logs as they pile up.
OnePlusLogKit logging can be enabled by entering *#800# via the phone's dial pad. This brings up the app's interface where various logging features can be turned on or off.
An attacker with physical access to the device can enable the logging and collect the logs at a later date. In addition, attackers could use social engineering and trick users into enabling the logging themselves and later sending over the log files.
Last but not least, an attacker can use malware to enable logging and data collection programmatically.
"You don't need to be root here," the researcher said. "The log files are stored in the SD card. So if an app has the permission to read the SD card, it can access the logs."
According to Alderson, the OnePlusLogKit app can log WiFi traffic, Bluetooth traffic, NFC activity, GPS coordinates over time, power consumption, modem signal/data details, "lag issues," and more.
In addition, the app can be used to query for real-time information such as a list of currently running processes, currently running services, battery stats, and more. The first two are of note, as such lists are used by mobile banking trojans to detect when users open mobile banking apps so they can immediately show phishing overlays.
The breadth of information logged by the app is astounding. Alderson believes the app was left on purpose on OnePlus devices to help OnePlus customer support representatives in their daily work of debugging faulty OnePlus devices.
This makes little sense, as most companies install debug apps on customer devices only when customers send their phones in for servicing, and don't leave an app with such intrusive features on all devices by default.
A OnePlus spokesperson was not available to explain the app's purpose.
The researcher also published the OnePlusLogKit app's decompiled source code on GitHub, so other researchers can also take a look over it and potentially discover new issues.
Besides the two factory apps left on OnePlus devices, the company was also accused of collecting user telemetry without anonymizing data, an issue that could allow OnePlus to track individual users.
Also, cyber-security firm Aleph Research discovered that some OnePlus devices are vulnerable to OS downgrade attacks, allowing attackers to roll back OnePlus operating systems to previous vulnerable versions.