Another OnePlus app uncovered that may allow hackers to steal photos, GPS, WiFi data and more
The second OnePlus app is called OnePlusLogKit – it reportedly logs an extensive amount of user data.
Just days after a factory-installed backdoor app was found on OnePlus devices, a second app – also preinstalled – has been uncovered, raising major security and privacy concerns for the company's smartphone users. This app is reportedly called OnePlusLogKit and, like its name suggests, logs an extensive amount of user data.
The second OnePlus app was reportedly found by the same security expert that discovered the first app, EngineerMode. The researcher, who goes by the moniker Elliot Anderson – an homage to the lead character of the popular TV series Mr Robot – took to Twitter to report about the app's ability to potentially allow hackers to record users' photos, WiFi and GPS data, and more.
The researcher wrote in a post that all of the user data stored by the app is unencrypted, adding in another tweet that this data could also likely be sent to China. Bleeping Computer reported that OnePlusLogKit runs with system privileges. Anderson told Bleeping Computer that he believes that the app may have been intentionally left on users' devices by the smartphone maker.
In his Twitter thread, the researcher said that all one had to do to trigger the app into logging the data and accessing it was to dial *#800# on the smartphone's dial pad. This action automatically opens up the app's interface with which one can either switch the logging feature on or off.
You can also obtain deep system information with this app: list of the process running, list of service running, battery stats,... pic.twitter.com/5akvErzhPF
— Elliot Alderson (@fs0c131y) November 15, 2017
Of course, all the logs are stored unencrypted in /sdcard/oem_log/ pic.twitter.com/YOQbNsE7PE
— Elliot Alderson (@fs0c131y) November 15, 2017
It's also possible that the files created by OnePlusLogKit are read and send to China by another @OnePlus app.
— Elliot Alderson (@fs0c131y) November 15, 2017
Bleeping Computer reported that a hacker who had physical access to a OnePlus device could trigger the app's data-logging features and access the logs at a later date. Hackers could also potentially use other techniques, such as social engineering, into tricking users to enable the app's data-logging features.
In the aftermath of the first OnePlus factory app's issues coming to light, the firm said that it would remove EngineerMode's root functions in the next update, The Verge reported. Earlier this year, security researcher Chris Moore found OnePlus was collecting significant user data, including devices' serial numbers and sending it to a server – allowing the firm to potentially track users.
It is still unclear as to what OnePlusLogKit's actual function may be and why the app came pre-installed on devices. IBTimes UK has reached out to OnePlus for further clarity on the matter and will update this article in the event of a response.
