OnePlus has been in the news for the wrong reasons many times this year, with the most notorious one being the data collection issue where the company’s devices was transmitting personal data to its servers. And with the launch of the OnePlus 5T just two days away, a new issue has been found in the company’s custom Android version, OxygenOS.
The firmware on OnePlus devices, reportedly has a backdoor which is pre-installed. Twitter user Elliot Alderson, who appears to be some sort of security researcher, has found that OxygenOS has the EngineerMode APK (made by Qualcomm) installed in it. Users can verify this by navigating to Settings > Apps > Menu Show System Apps. It is actually a system diagnostics app, used for checking GPS, root status, and other tests, usually by an engineer in the factory, to ensure a device has been working fine.
Using adb shell from a computer, this EngineerMode, can be used to root a device with ease. The password for accessing the exploit was found, and the device was rooted using the same. Alarmingly enough, the researcher says that SuperSU is already available in the firmware, and an app can also be used to root the device. Technically, this puts the devices at risk, as malicious apps could root the device and steal user data.
So, the question is, why did OnePlus leave behind an APK, which should have been removed after the device passed factory tests?