OnePlus' security troubles aren't over yet. Users have discovered that many of the company's phones from the past few years (including the OnePlus 5) include a Qualcomm testing app, EngineerMode, that lets you get root-level access to the phone without having to unlock its bootloader. An attacker would likely need physical access to your phone to do any damage, but that still means they could insert trackers or otherwise compromise your phone with very little effort.
At first glance, it looks like this is an accident rather than any kind of malicious behavior. The app is normally hidden until you tell Android to show system apps, so you might not notice it unless you went looking for it.
Company chief Carl Pei says his team is "looking into" the software's presence. If it's as widespread as it appears to be, there's a good chance you'll see a software update removing EngineerMode. However, the discovery isn't exactly confidence-inspiring. Between this and previously aggressive data collection, it looks like OnePlus hasn't been paying particularly close attention to security or privacy on its devices. It'll need to run a tighter ship if it wants to persuade users that its software is trustworthy.
Update: OnePlus has issued a statement that recaps the nature of EngineerMode and its threat (again, you need physical access to cause havoc). It's promising to remove the root function from EngineerMode through a future over-the-air update.
- This article originally appeared on Engadget.