[BREAKING] Your OnePlus phone is likely vulnerable to a critical reboot bug
OnePlus started releasing smartphones in 2014, which makes it a little over five years old in the business. Looking at what the Chinese company has achieved during this short period, it’s undoubtedly headed in the right direction.
The company’s ability to cram some top-level hardware and features into phones that cost half the price of their closest rivals is what has propelled it to such unimaginable heights in the half-decade it has been in the smartphone business.
While the price of the OnePlus One vis-a-vis that of the OnePlus 7 Pro is worlds apart, for instance, it is the continued price hike that smartphones are getting each year that has forced OnePlus into such territories.
Nonetheless, many will agree that OnePlus phones still offer the best value for money. And this is despite the few shortcomings like the lack of IP68 dust and water resistance, 3D Face unlock, and even the doing away with the 3.5mm audio jack.
On the other hand, the aforementioned top-notch hardware and flagship features coupled with one of the best software experiences still make OnePlus phones among the most desirable.
However, the fact that the company is still nowhere near the likes of Samsung and Apple in terms of resources means there will always be a few issues here and there, more so in the company’s OxygenOS software.
One such issue is the recent discovery that OnePlus phones are likely vulnerable to a critical system bug that could easily lock affected units into a reboot loop.
Below is a documentation of this issue by developer Till Kottmann, who made this dreadful discovery.
About two months ago I stumbled upon a serious issue in OnePlus’ Operating Systems, which would allow any app to reboot the Phone without any user intervention. I reported the issue and it has now been fixed in Oxygen OS 10.
Apparently, this issue has been around since Android Pie (OxygenOS 9) but it has now been addressed in the latest OxygenOS 10. Since the latter Android 10 based update isn’t available for all OnePlus phones, it means the likes of OnePlus 6, 6T, 5 and 5T are still vulnerable.
According to Kottmann:
There are actually two ways this was possible, one of which was already fixed in previous OOS versions as I cannot reproduce it anymore on Pie+. For this variant an App could call a factory mode intent supposed to “InstallSpecialApk” (it does not actually install anything on consumer builds), which will reboot the phone after about a second. The new method I found is similar in the way that it only requires an app to start an intent. This time however it is located in a different app.
…there are no permission checks, the phone just instantly reboots. I created a simple proof of concept app for these methods, but the possibilities for a threat actor reach far wider. It is possible to trap users in a reboot loop until they remove the app from safe mode or wipe.
The fact that the vulnerability is attached to system-level apps is even more frightening considering that they usually have far-reaching permissions yet there are no permission checks when the bug springs into action and reboots your OnePlus phone.
The good side of the story is that the issue has been addressed for OnePlus 7 and 7 Pro users through the update to OxygenOS 10, so other vulnerable phones should also be fixed. The problem is for the likes of OnePlus 5 and 5T, the OxygenOS 10 update will arrive in 2020.
Hopefully, OnePlus will find a way to address this issue earlier rather than have OnePlus 6, 6T, 5 and 5T users waiting for the bug-fixer for weeks or even months.
PiunikaWeb started as purely an investigative tech journalism website with main focus on ‘breaking’ or ‘exclusive’ news. In no time, our stories got picked up by the likes of Forbes, Foxnews, Gizmodo, TechCrunch, Engadget, The Verge, Macrumors, and many others. Want to know more about us? Head here.