OnePlus, an electronics manufacturer based in China, has reportedly been shipping its line of popular smartphones with a hidden backdoor that could allow a hacker to hijack the device relatively effortlessly.

According to mobile security researcher Robert Baptiste—otherwise known by the pseudonym Elliot Alderson, a reference to the main character in the television series ‘Mr. Robot’—smartphones from OnePlus have for years contained a hidden backdoor that would allow root access to the device.

The backdoor is provided through an application called Engineer Mode that ships pre-installed on the devices. Intended for internal use only by the company’s engineering team to test if devices are working properly, the application has managed to remain on OnePlus devices that have been shipped to consumers—and may present a threat to their security.

OnePlus likely kept Engineer Mode installed on the devices because it assumed it was secure and would remain unnoticed, given that the app is hidden behind a password. However, Baptiste and researchers at security firm NowSecure were able to crack the password —which was “angela”—and gain access to the application.

With the ability to crack the password and reach the powerful Engineer Mode app, an attacker could gain root access to a OnePlus device. Having root access essentially means the user has complete control over the device, including privileged control over features that would otherwise be locked up. With root access, an attacker could change just about anything about the device’s software.

While it appears OnePlus is responsible for leaving Engineer Mode on its devices, it is not directly responsible for the application itself or the backdoor it creates. It is actually a modified version of a testing application created by Qualcomm.

Versions of Engineer Mode were also found on a handful of other devices, including smartphones from Motorola, Xiaomi, Lenovo and Oppo. The application was present on several models of OnePlus devices including OnePlus 3, OnePlus 3T and OnePlus 5.

On devices with the application present, an attacker could use the easily crackable password to hijack the device and execute malicious code. However, carrying out such an attack would require physical access to the device—the hacker would need to have the smartphone in hand to hijack Engineer Mode and start doing damage.

Still, the presence of the app brings into question OnePlus’ security protocols. The company already drew criticism earlier this year over its onerous data collection practices, in which the company sucked up sensitive data from user devices and transmitted that information with each device’s serial number attached. The company claimed the data was simply for performance analytics but agreed to scale back what it collected.

For owners of OnePlus devices who are curious to learn if the Engineer Mode app is installed on their device, it is possible to find the app by going to Settings, opening the Apps menu, tapping Menu, and Show System apps. From there, just search for Engineer Mode to see if it is installed. It is also possible to delete the app once it is discovered.

OnePlus did not immediately respond to a request for comment.

A Qualcomm spokesperson told International Business Times, "After an in-depth investigation, we have determined that the EngineerMode app in question was not authored by Qualcomm. Although remnants of some Qualcomm source code is evident, we believe that others built upon a past, similarly named Qualcomm testing app that was limited to displaying device information. EngineerMode no longer resembles the original code we provided."

RELATED STORIES
China Smartphone Android Qualcomm