There are plenty Android phone users who make a habit of rooting their devices in order to gain more control over their device, gain access to system settings and files that would otherwise be unavailable, and run apps that only work on a rooted device.
But choosing to root your phone is one thing. Finding out that there’s an app on your phone that could be used to root your device with or without your permission or knowledge is another.
And it turns out that at least a few phones from OnePlus do include an app that lets you root the phone without first unlocking the bootloader. On the one hand that might be good news for folks that just want a simple way to root their device. On the other, it poses a security vulnerability that malicious hackers could theoretically use to take over your device.
So here’s the deal: Qualcomm provides device makers that use its chips an app called Engineer Mode that they can use for testing purposes. It’s only really supposed to be used on pre-release software, but it turns out that OnePlus included it in the Android-based OxygenOS software that ships on its phones.
It’s unclear if that was an accident or if it was done intentionally.
Update: Qualcomm says it didn’t make the app. Instead, it appears to be a new app built on top of some code from an older, similarly-named Qualcomm testing app that had far less functionality.
First spotted by @fs0c131y, the Engineer Mode APK appears to be included in multiple OnePlus devices including the OnePlus 3 and OnePlus 5.
With the app installed, it’s possible to connect the phone to a PC and run an adb (Android Debug Bridge) command that enables diagnostic mode and provides root access which stays enabled even after the phone is rebooted.
You do need to enter a password to toggle diagnostic mode… but the folks at NowSecure figured out that the password is “angela” and multiple folks have confirmed that it works.
So… if you want to root your phone, there are now instructions for doing that. If you want to make sure that nobody else can gain root access to your phone… that might be a bit trickier.
For now it looks like the easiest way to root a device with the Engineer Mode APK installed is to have physical access to the phone, which limits the likelihood that an attacker would be able to gain access to your data without your knowledge.
But as Android Police points out, it’s also possible that someone could combine a set of known vulnerabilities including the Engingeer Mode backdoor to infect your device with malware when a malicious app is installed.
Update: OnePlus has issued a statement that boils down to:
- We don’t think there’s any real security threat here.
- But we get that some of you are concerned, so we’ll issue a fix “in an upcoming OTA.”
Interestingly, the company says it’ll “remove the adb root function from EngineerMode” in that update rather than removing the app altogether, which suggests that OnePlus didn’t simply forget to remove it from OxygenOS after using it to test its phones.. but actually included it on purpose for some reason.
Leave a Reply
5 Comments on "Backdoor found in OnePlus phones can provide root access without unlocking the bootloader (Updated)"
Wait… so if you go with a small Chinese outfit who sells cheaper hardware that has less development behind it, there could actually be security risks in doing so?! Shocking!
In other related news, water has been found to indeed be wet. People claim to be “surprised” by this development.
It’s a backdoor that is secured with something less than a private key/public key pair.
What more has to be said. One Plus has shown that they do not understand security. Period.
The fact that the password is of particularly low quality is just piling on.
If only we could have these backdoors on Flagship Android Devices, those which insist to lock the bootloader and make it impossible to r00t etc etc.
Fix is coming in next OTA updates.
I think the phrase of the day is “tempest in a tea cup”. I read quite a bit about this apk. You must gain physical access to the phone in order to use it, connect the phone to a pc and run adb, enter a password. I think most people would notice if someone did this with your phone. Oh, and of course you must unlock your phone (password or biometrics). Honestly if the root can be reversed then the apk deleted from the phone this would be great to have. Delete any pesky crapware on your phone that you normally could not get rid of, then unroot the phone and delete the program. Cool.