OnePlus, an electronics manufacturer based in China, has reportedly been shipping its line of popular smartphones with a hidden backdoor that could allow a hacker to hijack the device relatively effortlessly.
Security researcher Robert Baptiste says the EngineerMode APK is made by Qualcomm and is meant to be used by factory staff to test phones for basic functionality before they are shipped out to the public. But Elliot Alderson found that the tool could be exploited by hackers to gain root access to a device, essentially gaining backdoor access into it where they could then take over the phone.
OnePlus likely kept Engineer Mode installed on the devices because it assumed it was secure and would remain unnoticed, given that the app is hidden behind a password.
With the password cracked, it's now possible for an app to enable root access on any device with the APK preinstalled.
Russia Tried to Pass off a Video Game as Combat Footage
It said the US-led coalition refused requests to cooperate and "eliminate fleeing Isis convoys". The statement wasn't even fully cropped out of the images that Russian Federation tweeted.
GST capped at 5% in all restaurants: Arun Jaitley
These items include furniture, detergents, shampoos, hair dyes, beauty products, perfumes, fans, lamps and mattresses. All tax payers who have small tax liability or no liability will be able to file returns in just 2-3 steps.
Missouri is taking page from Europe and investigating Google
The company operates "in a highly competitive and dynamic environment", Patrick Lenihan said in an emailed statement. Google agreed to change some business practices the FTC said were stifling competition in certain markets.
The Engineer Mode APK is capable of diagnosing Global Positioning System, run automated tests, check root status among other things. A developer has found an application that can be manipulated into to granting a backdoor root access. It is actually a modified version of a testing application created by Qualcomm. However, it was left in the software builds that ship with the OnePlus 3, 3T, and 5.
Earlier, according to a post on Christopher Moore's blog, OnePlus is collecting sensitive private data like IMEI numbers, mobile network names and IMSI prefixes, MAC addresses, and more. This is thanks to a Qualcomm system-side app and OnePlus's decision to leave it in the custody of end users. The company claimed the data was simply for performance analytics but agreed to scale back what it collected.
While the vulnerability allows attackers to use the EngineerMode app to fully compromise devices, a mitigating factor is that local access to devices is needed - no remote exploit is available.
The discoverer of the app had a problem.