[Update] No Surprises! “Accidental” Backdoor with Root Access Spotted in Qualcomm Based Android Phones, Including OnePlus 5
Since this morning, several reports have been circulating suggesting that OnePlus has been including a backdoor in its devices that can enable attackers to root the devices. It appears that OnePlus isn't alone in this as Elliot Alderson, pseudonym of the security researcher who first spotted this backdoor, says that other Qualcomm based devices are also potentially affected.
The app in question is EngineerMode, which is designed by Qualcomm to be used in factories to perform several operations during the testing processes. It is expected of the OEMs to remove this app after the in-house testing. However, it has been discovered on various devices, including OnePlus 3, OnePlus 3T, OnePlus 5 ($499.99), and devices from Xiaomi, Motorola, and others. Alderson is currently collecting samples and wrote to Wccftech that "almost all brands have this APK: Motorola, Xiaomi, Oneplus, Oppo."
I have an ASUS Zenfone 3 Max and I have the Engineering Mode in my system apps as well.
— Pat ヽ(^。^)ノ (@pakwik) November 14, 2017
While it is unclear what other models are affected, OnePlus is currently getting a lot of heat because several users have confirmed seeing EngineerMode in various OnePlus phones. It's been only a month when the company was caught collecting personally identifiable data from its phone users. The company took quick action to these concerns at the time, however, it raised several eyebrows and the latest report will just add into the headaches for the Shenzhen based Chinese smartphone company.
EngineerMode and what it can do
The series of tweets posted by the researcher suggest that the app can perform a number of intrusive actions, including the ability to root devices. It can diagnose GPS, check the root status, and do more. All of these functions are expected to be found in a diagnosis app that the engineers may need to test phones before they are shipped out. However, by potentially accidentally leaving this APK, the companies have left a backdoor for attackers to perform malicious functions and gain root access of the devices.
— Elliot Alderson (@fs0c131y) November 13, 2017
Alderson adds that the app can actually be used to root the device by launching DiagEnabled function found in the APK. The researcher added that an attacker with physical access to the phone or malware installed on it only needs to run the following command to root the device:
adb shell am start -n com.android .engineeringmode/.qualcomm.DiagEnabled --es "CODE" "PASSWORD"
, where CODE = code and PASSWORD = angela
Other independent researchers have confirmed these findings and some are working on a proof of concept, however, neither Qualcomm nor OnePlus or other firms have responded to this yet. If you are worried your Android phone might have this backdoor too, you can confirm it by going to Settings > Apps > Menu > Show system apps.
We are reaching out to Qualcomm and OnePlus and will update this piece as we receive any comments.