A Twitter user by the name ” Elliot Alderson “ has discovered a root backdoor in OnePlus devices—one that has apparently been shipping for years. OnePlus has been shipping a Qualcomm engineering APK (an Android app file) in its devices, which with a few commands, can root a device.
The app—called “EngineerMode”—is partially exposed to users through a secret ” *#808# ” dialer command, and you can also launch the full app through an Android activity launcher or the command line. The app contains production-line tests for various phone components, a root checker, and lots of information readouts. The important part, though, is a “DiagEnabled” activity with a method called “escalatedUp.” If this is set to “true,” the app will allow root access over Android Debug Bridge, Android’s command-line developer tools.
The method for gaining root is password protected, but the password lasted all of three hours once the method was discovered. With the help of David Weinstein and the Now Secure team, the group discovered the magic word is “angela,” which is possibly anotherMr. Robot reference, just like the “Elliot Alderson” handle. (We swear this is real and not a Mr. Robot AGR.)
With the password cracked, it’s now possible for an app to enable root access on any device with the APK preinstalled. For now this only works in ADB, which requires local access to the device. Anderson says it’s “too early to speak about a random app getting root access, but we are on the good tracks.”
Since this is a Qualcomm APK, there’s a chance other OEMs have made the same mistake OnePlus has. While the root backdoor hasn’t been verified in other devices yet, reports from Twitter indicate the APK was also found in Asus and Xiaomi devices.
OnePlus CEO, Carl Pel, said his company is ” looking into ” the backdoor report. It should be a simple matter of just removing the APK in an update, but this will certainly put a damper on the launch of the OnePlus 5T, which comes out this week .