There are plenty Android phone users who make a habit of rooting their devices in order to gain more control over their device, gain access to system settings and files that would otherwise be unavailable, and run apps that only work on a rooted device.
But choosing to root your phone is one thing. Finding out that there’s an app on your phone that could be used to root your device with or without your permission or knowledge is another.
And it turns out that at least a few phones from OnePlus do include an app that lets you root the phone without first unlocking the bootloader. On the one hand that might be good news for folks that just want a simple way to root their device. On the other, it poses a security vulnerability that malicious hackers could theoretically use to take over your device.
So here’s the deal:
Qualcomm provides device makers that use its chips an app called Engineer Mode that they can use for testing purposes. It’s only really supposed to be used on pre-release software, but it turns out that OnePlus included it in the Android-based OxygenOS software that ships on its phones. It’s unclear if that was an accident or if it was done intentionally.
Update: Qualcomm says it didn’t make the app. Instead, it appears to be a new app built on top of some code from an older, similarly-named Qualcomm testing app that had far less functionality.
First spotted by @fs0c131y, the Engineer Mode APK appears to be included in multiple OnePlus devices including the OnePlus 3 and OnePlus 5.
With the app installed, it’s possible to connect the phone to a PC and run an adb (Android Debug Bridge) command that enables diagnostic mode and provides root access which stays enabled even after the phone is rebooted.
You do need to enter a password to toggle diagnostic mode… but the folks at NowSecure figured out that the password is “angela” and multiple folks have confirmed that it works.
So… if you want to root your phone, there are now instructions for doing that. If you want to make sure that nobody else can gain root access to your phone… that might be a bit trickier.
For now it looks like the easiest way to root a device with the Engineer Mode APK installed is to have physical access to the phone, which limits the likelihood that an attacker would be able to gain access to your data without your knowledge.
But as Android Police points out, it’s also possible that someone could combine a set of known vulnerabilities including the Engingeer Mode backdoor to infect your device with malware when a malicious app is installed.
Update: OnePlus has issued a statement that boils down to:
- We don’t think there’s any real security threat here.
- But we get that some of you are concerned, so we’ll issue a fix “in an upcoming OTA.”
Interestingly, the company says it’ll “remove the adb root function from EngineerMode” in that update rather than removing the app altogether, which suggests that OnePlus didn’t simply forget to remove it from OxygenOS after using it to test its phones.. but actually included it on purpose for some reason.