OnePlus has accidentally left behind an app called ‘EngineerMode’ made by Qualcomm which after decompiling has revealed that the app can be exploited to gain root access acting like a backdoor. This app was discovered by a OnePlus user on Twitter.
The EngineerMode app is essentially a system app which is made by Qualcomm and given to OEM’s like OnePlus to test the hardware components of the device. The application is found installed on various OnePlus devices including OnePlus 3, 3T, and OnePlus 5 and is easily accessible with any activity launcher.
On decompiling the app, the user has found an interesting activity called DiagEnabled and one particular method stood out within the activity is escalatedUp. This method accepts a boolean value (true/false) and a string. This exploit is most useful to hackers with physical access to a OnePlus device or an owner looking to root their own device.
OnePlus has left behind the system-signed apk and a native library with a SHA256 hash of the password that was easily reversed. With this password, the engineering enables debugging mode and grants full root privileges on the device via a simple ADB command. However, OnePlus was quick to acknowledge the issue and responded in a Forum post.
The company’s OxygenOS team member has shared an update saying that it can enable adb root which provides privileges for adb commands, it will not let 3rd-party apps access full root privileges and noted that adb root is only accessible if USB debugging, which is off by default. The company says that it isn’t a significant security issue but would still roll an update in the coming OTA that will remove the adb root function from EngineerMode.
Update: Qualcomm in a statement said:
After an in-depth investigation, we have determined that the EngineerMode app in question was not authored by Qualcomm. Although remnants of some Qualcomm source code is evident, we believe that others built upon a past, similarly named Qualcomm testing app that was limited to displaying device information. EngineerMode no longer resembles the original code we provided