The problem is that once discovered and decompiled, the app has a feature that easily gives root access to the device even without unlocking the devices' bootloader. While the root backdoor hasn't been verified in other devices yet, reports from Twitter indicate the APK was also found in Asus and Xiaomi devices. It's used by the operator in the factory to test the devices.
A developer recently discovered that an app installed on OnePlus devices (OnePlus 3, 3T, 5 according to Android Police) called "EngineerMode". They are able to gain root if they have a password to bypass privilege escalation checks. It's not something that could be achieved remotely, however, you would need the physical OnePlus device connected to a computer running the Android Debug Bridge (ADB) to exploit the vulnerability. It is actually a modified version of a testing application created by Qualcomm. The staff member reassured users by saying that third-party apps can't gain full root privileges from EngineerMode. Check the name of native library used to check the code: door... The company already drew criticism earlier this year over its onerous data collection practices, in which the company sucked up sensitive data from user devices and transmitted that information with each device's serial number attached.
We've also we've reached out to OnePlus and will update this story when we receive comment. The company claimed the data was simply for performance analytics but agreed to scale back what it collected.
This nonetheless raises questions over why is the device shipping with this app (presumably it has just been overlooked) and whether it's available on other Qualcomm devices. From there, just search for Engineer Mode to see if it is installed.
OnePlus did not immediately respond to a request for comment.