Hot topics

Beware of fake software updates for OnePlus devices

AndroidPIT oneplus 3t 1356
© nextpit

When's the last time you heard about a fake software update? Well, it seems like OnePlus owners are in for a nasty surprise. Security experts found a security exploit a few weeks ago that allows fake software updates to be installed on OnePlus devices. This piece of malware can downgrade or even completely replace the phone's software. 

If you are using OnePlus One, you should probably refrain from connecting to a public Wi-Fi signal in the near future. The Indian multinational IT services company, HCL Technologies, recently found that some crafty hackers have managed to use public Wi-Fi signals as a channel to transfer a supposed software update onto your phone - which in reality turns out to be a malware ridden Trojan horse. 

A so-called man-in-the-middle attack allows attackers who are connected to the same Wi-Fi signal so send a supposed OTA update to your OnePlus device. This OTA may contain an older version of Oxygen OS, which in turn opens old Android security holes again and thus allows further attacks. A proof-of-concept video shows a successful downgrade.

The vulnerability was discovered primarily because OnePlus delivers the updates to its users unencrypted. Other vulnerabilities in OnePlus' update system allow the firmware to be replaced by an older or a completely different version, for example from Oxygen OS to Hydrogen OS - even if the bootloader of the device is locked.

So what can you do to protect your OnePlus device?

Because the software of the OnePlus 3T, OnePlus 3, OnePlus 2, OnePlus X, and that of the OnePlus One are affected, you won't be able to simply apply the tried and trusted tip: "Do not update your software to the latest Oxygen OS version". This might actually make the problem worse. The current issue can only by fixed by OnePlus by amending its update infrastructure. 

system up to date
How can you be sure that you've downloaded a legitimate update?  / © NextPit

Security experts have explained that by simply taking a few common sense security precautions, you can greatly reduce the risk of receiving this exploit. The first thing you can do to avoid this is not connect to public Wi-Fi networks. You should also enable Full Disk Encryption and Secure Boot. 

The best camera phones to buy in 2024

  Editor's Choice The Best Android Alternative The Best Camera iPhone The Best Camera Under $1,000 The Best Camera Under $600 The Best Camera Under $500 The Best Camera Foldable
Image Google Pixel 8 Pro Product Image Samsung Galaxy S24 Ultra Product Image Apple iPhone 15 Pro Max Product Image Google Pixel 8 Product Image Google Pixel 7 Product Image Google Pixel 7a Product Image OnePlus Open Product Image
Review: Google Pixel 8 Pro
Review: Samsung Galaxy S24 Ultra
Review: Apple iPhone 15 Pro Max
Review: Google Pixel 8
Review: Google Pixel 7
Review: Google Pixel 7a
Review: OnePlus Open
Go to comment (1)
Eric Ferrari-Herrmann

Eric Ferrari-Herrmann
Senior Editor

Eric has been with AndroidPIT since 2014. He’s writing articles and reviews for the German website. Topics are mostly privacy and new technology but there's also the occasional piece on environmental sustainability.

View all articles
Liked this article? Share now!
Recommended articles
Latest articles
Push notification Next article
1 Comment
Write new comment:
All changes will be saved. No drafts are saved when editing
Write new comment:
All changes will be saved. No drafts are saved when editing

  • 49
    storm May 15, 2017 Link to comment

    Yet another basic engineering gaffe. "The fail is strong with this one."

    Dwarfer66Deactivated Account