A OnePlus spokesperson has officially confirmed a card breach incident affecting its online store, about which rumors started circulating online earlier in the week.
A security researcher has found a second factory app that was included on OnePlus devices delivered to customers, and this one can be abused to dump the user's photos and videos, but also GPS, WiFi, Bluetooth, and various other logs.
Some OnePlus devices, if not all, come preinstalled with an application named EngineerMode that can be used to root the device and may be converted into a fully-fledged backdoor by clever attackers.
OxygenOS, a custom version of the Android operating system that comes installed on all OnePlus smartphones, is tracking users actions without anonymizing data, allowing OnePlus to connect each phone to its customer.
Almost all recent OnePlus smartphones are vulnerable to attacks that can downgrade the phone's operating system and expose the device to previously patched security flaws.