A couple of days ago it was reported that an IT security researcher Robert Baptiste who goes by the handle of Elliot Alderson on Twitter had discovered a pre-installed backdoor application called “ EngineerMode” on OnePlus smartphones including its 5, 3, 3T models and OxygenOS for OnePlus 1.

Now, the same researcher has found another preinstalled app in OnePlus devices sold to customers around the world. Dubbed OnePlusLogKit by researchers, the app runs with system privileges and has access to user’s GPS logs, WiFI data, Bluetooth, NFC, photos, videos, and list of the running processes – All that without the user’s permission or knowledge.

<Thread> Hi @Oneplus 👋! Remember me? Let’s talk about another debug app you left in your device.

OnePlusLogKit is a system application which allow you to do a multitude of things: get wifi logs, nfc logs, gps logs pic.twitter.com/HvnErm8rXg — Elliot Alderson (@fs0c131y) November 15, 2017

This means while EngineerMode allowed an attacker to root the device; OnePlusLogKit lets attackers access personal data of OnePlus users. However, in this case, an attacker has to have physical access to the targeted device and then dial *#800# – click on “Get Wireless log.” In case of no physical access, an attacker can use social engineering to fool users into enabling the app and collect data.

Originally, the app was used by manufacturers for testing purposes, but its presence in the devices used by the customer is a massive privacy and security threat. There has been no comment from OnePlus yet, however, in a forum post; staff member of OxygenOS Team OmegaHsu discussed the presence of EngineerMode app in OnePlus devices:

“We’ve seen several statements by community developers that are worried because this apk grants root privileges. While it can enable adb root which provides privileges for adb commands, it will not let 3rd-party apps access full root privileges. Additionally, the adb root is only accessible if USB debugging, which is off by default, is turned on, and any sort of root access would still require physical access to your device. […] While we don’t see this as a major security issue, we understand that users may still have concerns and therefore we will remove the adb root function from EngineerMode in an upcoming OTA.”

This is not the first time when Chinese firm OnePlus is in the news for all the wrong reasons. Last month the firm was also accused of collecting user data through OxygenOS while in July this year, a Reddit user from Seattle, United States shared video evidence that whenever he dialed the emergency telephone number 911, his Android-based OnePlus 5 (OP5) smartphone rebooted itself for no apparent reason.

Last week, another Chinese firm MantisTek specializing in manufacturing mechanical keyboard was caught spying on users by collecting their data through a built-in keylogger.