Qualcomm Denies Involvement in EngineerMode Root Backdoor Found on OnePlus Phones
Just when we thought this story was over, it rears its ugly head again. 2 days ago, a security researcher who calls himself Elliot Alderson (@fs0c131y), named after the protagonist of the hit USA Network television series Mr. Robot, made a surprising discovery. A pre-installed application found on all OnePlus devices running OxygenOS, as well as a few other smartphones from other manufacturers, was capable of being exploited to grant root access to ADB shell. While this isn’t a major security exploit as it requires physical device access and USB Debugging to be enabled, it is an exploit nonetheless—one that OnePlus promised a quick update to resolve.
This pre-installed application was presumed to be from Qualcomm as it contains various hardware diagnostic tests that are useful for OEMs to test out hardware components before shipping a device. The security researcher, @fs0c131y, claimed that OnePlus had modified the source of the original application from Qualcomm as he found a package from OnePlus in the app. But it was still largely assumed that the app was largely the making of Qualcomm, but was never intended to be shipped on production devices. The latter assumption still holds up, but the former is now in question.
A Qualcomm spokesperson reached out to us with the following statement:
After an in-depth investigation, we have determined that the EngineerMode app in question was not authored by Qualcomm. Although remnants of some Qualcomm source code is evident, we believe that others built upon a past, similarly named Qualcomm testing app that was limited to displaying device information. EngineerMode no longer resembles the original code we provided.
Alex Gantman, VP of Product Security Engineering at Qualcomm, also posted this official statement as a reply to the security researcher from his Twitter account.
This statement suggests that Qualcomm is denying any involvement with this so-called root backdoor. That puts the blame squarely at the feet of OnePlus, though they have already committed to satisfying its customers by removing the code responsible for elevating ADB shell to superuser privileges.
In our own investigation thanks to the help of XDA Recognized Developer Sultanxda, we discovered that the bootloader on OnePlus devices has a property called
androidboot.angela. Sultanxda has never seen this property on any other phone he’s worked with so far. It is interestingly set to “disabled” by default. It is turned into a build property called
ro.boot.angela when Android boots, as Android parses the kernel command line by reading /proc/cmdline.
In the source code of the EngineerMode app, there is interestingly no mention of the
ro.boot.angela build property. The only method that refers to ‘angela’ is
checkAngelaRoot() which does not have any checks against
ro.boot.angela. The existence of this bootloader/build property suggests to us that there was an intention for the app to check for this build property (after all, it’s set to ‘disabled’) but it never got implemented. There’s nowhere else that
ro.boot.angela is referenced in code, and this is the only place it makes sense for it to be, so that’s the conclusion we’re drawing based on our inferences.