Dubbed “EngineedMode”, the app has been created by Qualcomm to most certainly test out hardware, but OnePlus has taken it to itself to tamper with the app, customize it, and preload it on a plethora of devices, including but not limited to the OnePlus 5, OnePlus 3, and OnePlus 3T. The app gives unprecedented access to a host of security-sensitive features of your phone, with the worst offender being the “all clear” command, which would erase all data on the phone, internal storage and all.
The exploit works on devices with locked bootloader, which further turns security concerns up to 11.
The most disturbing part is that @fs0c131y, the dev that discovered the backdoor, was capable of creating a simple root app for OnePlus devices that makes use of his findings and… even published it on the Google Play Store. Sorry
Now, on its own, this app can’t do anything malicious; it’s a powerful tool intended for device testing and maintenance. The scary part is that it’s laughably easy to run it with a simple command as well as the fact OnePlus has purposefully included it in the software builds of its devices. A malicious app or malware that is built around this loophole would potentially be able to target OnePlus devices and wreck havoc.
@fs0c131y also suggests that many other Snapdragon-powered devices could have said Qualcomm-developed app preinstalled, which would be rather concerning taking the company’s market share in regard. To check out if you have it, go to Settings > Apps, and look for Show system apps in any of the menus; search for EngineerMode in the app list.
OnePlus’ Carl Pei responded on Twitter that the issue is being looked into. One things is for certain though – not a good news for the company, which is expected to launch a new device, theOnePlus 5T, in two days’ time.