Upstart Chinese smartphone maker OnePlus is at the centre of another security incident today with claims that it installed a backdoor in its products that could enable an attacker to take control of the device.
It comes as the company prepares to launch its latest flagship model, the OnePlus 5T, just months after the OnePlus 5.
Furthermore, though, it adds to the claims made earlier this year that the company's devices going back many years have been collecting user-identifiable data and sending it back to the company's HQ in China.
The company resolved that with an update enabling users to opt out of what it labels Oxygen OS analytics.
It now appears that the company has left an internal testing app within the operating system, which could be exploited to give root access. That, at least, is the charitable explanation.
XDA Developers reports on the discovery by 'Elliot Alderson' (one for the Mr Robot fans). He reveals that the activity is still installed in OnePlus 3, 3T and OnePlus 5 devices and can be accessed through any activity launcher.
< Thread> Hey @OnePlus! I don't think this EngineerMode APK must be in an user build...🤦♂️— Elliot Alderson (@fs0c131y) November 13, 2017
This app is a system app made by @Qualcomm and customised by @OnePlus. It's used by the operator in the factory to test the devices. pic.twitter.com/lCV5euYiO6
The app's existence had been previously spotted (XDA likes to nose around mobile operating systems as a matter of course), but it's only now that it's becoming clear exactly what it does and what it's capable of doing.
The bottom line is that it enables Android Debug Bridge (ADB) to be run in root mode without the need to unlock the Android bootloader.
If you know anything about Android, you'll know how bad that could be in the wrong hands. On the plus side, if you like a rooted phone, it means you can root the OnePlus range without unlocking the bootloader too.
It's not clear whether it's just a simple mistake or something more sinister, but the password is 'Angela' if you wish to investigate further.
OnePlus, of course, has been asked for comment, but none has been forthcoming at the time of publication.
Claims to have "the most competitive logic density" in the industry
Dell's high-end mobile workstations upgraded with Intel Coffee Lake CPUs
Webstresser admins were also arrested in the UK, Croatia, Canada and Serbia
Security firm claims that 117,638 sites out of 135,035 analysed contain serious security flaws