On Tuesday, developer Elliot Alderson tweeted that OnePlus has left behind an app that can act as a backdoor to get root access to a device without unlocking it.
Earlier, according to a post on Christopher Moore's blog, OnePlus is collecting sensitive private data like IMEI numbers, mobile network names and IMSI prefixes, MAC addresses, and more. But the team proved it can be done without a whole lot effort, which in turn leaves a lot of OnePlus devices vulnerable.
In this app, the developer has found activity known as "DiagEnabled", if enabled with a specific password, grants the root access. However, it also holds a backdoor which is capable of root access, even if the device has not been unlocked. The user can access manual tests like root status test, Global Positioning System test or the main activity by sending a command. With the help of a few cybersecurity experts, the required password was discovered, making rooting a OnePlus phone as easy as running a few commands.
OnePlus' co-founder clarified that the company was collecting data to "better understand general phone behavior and optimize OxygenOS for a better overall user experience".
U.S. security team in Israel to discuss Syrian border deal
Israel has long complained about the involvement of archenemy Iran, and its proxy Hezbollah, in Syria. Curtiss Scaparrotti, head of the USA army's European Command, to discuss Iranian moves in Syria.
The Engineer Mode APK is capable of diagnosing Global Positioning System, run automated tests, check root status among other things.
The chance of this already having been exploited is probably low, but it's still a massive risk to users.
In a statement to Android Authority, OnePlus said "We securely transmit analytics in two different streams over HTTPS to an Amazon server". In the meantime, you should probably avoid installing any sketchy-looking apps. The app, developed by Qualcomm, has been essentially designed for OEMs to test hardware components or diagnostic tests on device.