A security researcher calling himself Elliot Alderson has found two factory-installed apps with major security vulnerabilities on OnePlus devices, and he says there will likely be more to come.
Two separate backdoors into OnePlus devices have been discovered since Monday, and both are the work of a single security researcher.
A Twitter user going by the name Elliot Alderson (also the name of the main character on the show Mr. Robot) announced the discovery of two factory installed debug apps on OnePlus devices; one that can root the device, and another that can log and transmit device information. The latter, which Alderson says is more critical, could give an attacker "everything" on a device.
OnePlus has had a bad run of security incidents recently. Just one month ago it was discovered that the company was quietly collecting customer data from devices, and now it appears as if devices have been leaving the factory with engineering testing apps left installed since at least 2015.
If you're a OnePlus owner you're right to be concerned.
OnePlus backdoors equal security nightmares
The first of two debug apps found on OnePlus devices is EngineerMode. The app is used in Qualcomm devices to test hardware and is typically uninstalled prior to the device leaving for sale.
The Hacker News has confirmed its presence on OnePlus devices dating back to the OnePlus 2, which means the company has been releasing devices without removing the root-granting app since at least 2015.
SEE: Android beats iOS and Windows as least-secure mobile OS, Nokia report finds (TechRepublic)
EngineerMode is a risk, but it isn't critical--an attacker needs to gain physical access to the device in order to enable its dangerous components. The bigger risk comes from the second app Alderson discovered: OnePlusLogKit.
The LogKit app is, like EngineerMode, designed for debugging purposes. In this case, LogKit captures hardware logs, lists of running processes, usage statistics, and even media (photos, video, etc.) stored on the device.
Logging on Android devices is disabled by default, but Alderson says that if an attacker enabled it "he could have everything." Worse still, that could be done remotely, Alderson said, through the use of attacks like Cloak and Dagger.
Protecting yourself requires rooting around
OnePlus said in a statement that, while they don't consider EngineerMode to be a critical problem, it will be eliminated in an update in the near future. (OnePlus has yet to respond on the issue of LogKit.)
Those concerned about the security of their OnePlus devices may not be content to wait around for an OTA update to Oxygen OS. If you want to get rid of those debug apps now you'll have to take matters into your own hands, and that requires rooting your device since these are system apps that can't be deleted without root access.
Luckily that's become much easier since EngineerMode was discovered.
First check to see if your device is affected: Open the Settings app, then tap on Apps. From there, tap the menu on the right side of the screen (the three dots) and enable Show System Apps. If EngineerMode shows up you may want to consider rooting and removing.
SEE: The Comprehensive Android Development Bundle (TechRepublic Academy)
You can find steps, as well as a download link, to the new OnePlus rootkit on GitHub. (Any modification or rooting of your device is done at your own risk. TechRepublic is not responsible for any damage done to your device or operating system)
Alderson also noted that the OnePlus firmware is "a goldmine," and that he has more information to share. This article will be updated to reflect any additional discoveries that are critical to users.
The top three takeaways for TechRepublic readers:
- A security researcher discovered two separate factory-installed debug apps on OnePlus devices. One is capable of granting root access, and the other can log and transmit sensitive device information.
- The root-granting app isn't as great a concern, as an attacker would need physical access to the device to do damage. The logging app could be enabled remotely, giving an attacker access to nearly everything on a OnePlus device.
- Because these apps are installed at the system level they require rooting to remove, which is now as simple as installing an APK and following the instructions given at GitHub.
- OnePlus 3 smartphone: The smart person's guide (TechRepublic)
- OnePlus: We'll fix flawed app that lets attackers root our phones (ZDNET)
- Android Security Bulletin November 2017: What you need to know (TechRepublic)
- OnePlus dials back data collection after users protest (ZDNET)
- Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)
- Guidelines for building security policies (Tech Pro Research)