OnePlus has landed in soup again just a few days ahead of the launch of its much-anticipated OnePlus 5T smartphone. The Chinese company has been found to leave behind an app on its recent devices that can act as a backdoor capable of providing root access without unlocking. For end users, this essentially means that some OnePlus smartphones can be easily rooted without even unlocking the bootloader. The Chinese company was quick enough to acknowledge the issue, and has confirmed that it's investigating.
A Twitter user who goes by the Mr. Robot-inspired name Elliot Alderson discovered that OnePlus had accidentally left behind EngineerMode APK, an app which has been made by Qualcomm for device manufacturers to test hardware components. He claimed that the app is installed on some OnePlus devices though XDA-Developers points out that it comes pre-installed on OnePlus 3, OnePlus 3T, and OnePlus 5 smartphones. We can confirm its presence on the OnePlus 3T and OnePlus 5.
The app lets OEMs run diagnostic tests on the device though it can also be exploited to grant root access, which means a backdoor.
The Twitter user in a series of tweets explained how the exploit can be used to gain root access on the OnePlus 3, OnePlus 3T, and OnePlus 5. For OnePlus 3, 3T, and 5 users, Alderson suggested checking apps list to find the EngineerMode app. "If you have an OnePlus device, I'm pretty sure you have this app pre-installed. To check open Settings -> Apps -> Menu -> Show system apps and search EngineerMode in the app list to check," the user wrote in a tweet. Another Twitter user pointed out that OnePlus One with CyanogenMod build doesn't come with any such app, though the smartphone's OxygenOS build does.
Carl Pei, Co-founder OnePlus on Twitter confirmed that the company is looking into the issue and wrote in a tweet, "Thanks for the heads up, we're looking into it."
The Chinese company not long ago faced public backlash after a researcher discovered that OnePlus devices were collecting unanonymised user data without user consent. Chinese handset maker responded in no time claiming that it was collecting data to improve its service, and that it was standard practice in OEMs. The company, however, took some prompt decisions and confirmed to include a new "opt-in" option for the user experience program.