OnePlus 5T Stable Oreo Update Installs Possible Spyware with Potentially Dangerous Permissions

BAD NEWS, GUYS. A big bad news for every OnePlus 5T User who has updated their software to Oxygen OS v5.0.2 Stable Oreo Update recently. You most probably got a spyware installed on your device. And I personally own a OnePlus 5T and have become a victim of the same recently.

EXCLUSIVE: OnePlus 5T Stable Oreo Update Installs Possible Spyware with Potentially Dangerous Permissions

In fact, the possible spyware has access to one of the core utilities of your phone, with some mysterious permissions. The potential harm it can cause with it is really alarming.

First things first, there is a solution to it. But that really doesn’t make me feel safe, as some deep-rooted spyware may be still on my device which maybe nobody can notice easily.

There has been quite a few news recently about OnePlus spying on User Data without their consent. I really didn’t pay any heed to it, as I didn’t notice it myself. But this time, it left me surprised.

Dear OnePlus, Why do you make me feel pissed off always? -_-

Anyways, I am just going to tell you what’s its all about, and How did I notice it in the first place.

YOU MAY ALSO LIKE: NOOB’S GUIDE: How to Earn Money with Bitcoin Trading in India?

How did it begin?

Before I begin, here’a note for all of you: Don’t use this article alone to judge the OnePlus brand. I have been a user of OnePlus since OnePlus 3 and I am following them since OnePlus One. They have a lot of good stuff than bad. And no smartphone manufacturers are 100% okay. You need to judge it by yourself. Everything I stated here is based on my findings, nothing else 🙂

I live in India, and, as always, we get OnePlus Oxygen OS updates quite a few days after the actual release. They call it phased rollout, by which the update rolls out gradually to users worldwide. Good thing.

But, there’s a tweak to get your updates instantly (or within some hours) after it gets released. That is, by using any VPN service.

A VPN (or Virtual Private Network) is used to hide your IP Address and Change it to some other country’s IP so that you appear to be browsing from another country. Alternatively, it can change your device location to any place.

So you can just use any VPN App to change your location to any country which gets the updates before others, like Germany or Canada. Once you do that, you can search for available updates, and it will show you if an update is available. Once you get that, simply disable your VPN and start downloading it with your normal internet connection, as a VPN may have speed limitations.

YOU MAY ALSO LIKE: 8 Premium Android Apps to Get Unlimited VPN for FREE

So, when I got to know about the Stable Oreo Update release for OnePlus 5T, I was very excited and decided to go the VPN way to grab it ahead.

I used Turbo VPN, which is a Free VPN App. All I needed is just a VPN Connection for a minute or so, during which I can go to my Settings and Search for the available update, then close the VPN and proceed to download it. I have done this many times previously, and it didn’t affect my device in any way. It is a safe process.

So on 31st January 2018 at around 9 pm, I searched for available updates using VPN and got the Oreo Update Package with OnePlus v5.0.2. It was around 1.5GB in Size. I downloaded it and installed it.

EXCLUSIVE: OnePlus 5T Stable Oreo Update Installs Possible Spyware with Potentially Dangerous Permissions

Surprisingly, the installation process was very quick, even for that huge update, including Android Version Upgrade. It took me 5 minutes to install.

I didn’t clear any data, it was a dirty flash, though handled by the Official OTA Installer. I didn’t have to do a thing.

The first thing I noticed right after the installation was that my already-buttery OnePlus 5T have become more fluid. I could feel it myself. The swiping, pressing button latency etc were much better than Nougat. I faced no hanging issues or force close issues with any of my apps, I have around 80+ Apps and Games installed.

YOU MAY ALSO LIKE: Speedtest: The fastest smartphone of 2017

The Problem Starts Now:

Next day, 1st February 2018 morning, I got up and saw a weird app named MKey on my Application List. I recall clearly that I haven’t installed any such apps earlier and it wasn’t there yesterday on my Nougat ROM.

EXCLUSIVE: OnePlus 5T Stable Oreo Update Installs Possible Spyware with Potentially Dangerous Permissions

So the only way that unknown App ‘MKey’ got itself installed on my device is by this Oreo Update. It definitely came with the ROM Package.

Now comes the question, is it an official app?

At first, I thought it is some official app and decided to try it out. I opened it.

It shows a splash screen like this, that says: Unlock your Smartphone Keyboard.

EXCLUSIVE: OnePlus 5T Stable Oreo Update Installs Possible Spyware with Potentially Dangerous Permissions

Judging by the icon in the middle, you can say it is a Keyboard App.

But, the fonts, the colors, the icon, nothing suggests that such an app was built by OnePlus themselves.

So, was it from a third party? So, OnePlus is installing some third-party keyboard?

The next thing it did was more surprising. A popup loaded asking for my permission to make it my default Messaging SMS App.

 

 

EXCLUSIVE: OnePlus 5T Stable Oreo Update Installs Possible Spyware with Potentially Dangerous Permissions

Why? Just why would some app try to become my default SMS app, in spite of OnePlus having their own SMS?

So, it is both a keyboard and an SMS App?

At first, I denied permission, and guess what? It closed itself. Wow!

So, without granting it permissions, it won’t work. Good.

YOU MAY ALSO LIKE: Top Keyboard Apps for Android 2018: Compared and Reviewed

Exploring MKey App Features:

So, I decided to try out the app once. I made it my default Messaging App. It asked for some really fishy permissions, including drawing over other apps permission. Coming to that part later. Anyways, finally, I saw the SMS app main screen. It contained my received SMS list.

Now, in the settings of the app, it asked me to set up MKey Keyboard. Just like we enable other keyboards from settings, it needs to be enabled from settings, from the Manage Keyboard section.

Their keyboard had many Indian Languages support. But, why would that app come bundled with OnePlus?

This smelled fishy to me. So, what is this app doing with so many permissions?

To be exact, here are the permissions it wanted.

EXCLUSIVE: OnePlus 5T Stable Oreo Update Installs Possible Spyware with Potentially Dangerous Permissions

 

Camera, Contacts, Location, Phone, SMS, Storage, it took all the permissions 🙂

I can understand Contacts, Phone, SMS and Storage feature, but why Camera Permission?

This made me more suspicious. So, is MKey App secretly spying on you?

And it also got the permission to Draw over other Apps!

To summarize it, I had an app that came with OnePlus Oreo Update, named MKey. It was a third party app, unofficial and not made by OnePlus. It had a keyboard that can record anything I type. It had camera permissions. And, above all, it had become my default SMS App. So, every SMS I receive, including that of any Banking SMS, or any Transaction SMS, is all received by this app. This is very strange.

I decided to look into it further. So, I googled it up.

YOU MAY ALSO LIKE: How to Control Internet and Social Network Addiction?

Dangerous MKey Policies:

MKey Official Website URL is: https://mkey.co.in/ and all it shows is a login box with Username and Password.

EXCLUSIVE: OnePlus 5T Stable Oreo Update Installs Possible Spyware with Potentially Dangerous Permissions

So, you really cannot know much about the company from here, can you?

And why would it ask for username and password when the end user app has no such registration thing? This this is bad, very bad. 🙁

After some searching, I found another page with their Cookie Policy or Privacy Policy. And what was written over there was just terrible.

THEY ARE TRACKING ALL YOUR MOVES!

Here’s what their cookies policy says in brief:

  • They keep a note on all websites you visit and you register. They use it to authenticate your device. (Who gives them the right to do so? -_- )
  • They might suggest you products to buy based on the websites you visit. (Expected!)
  • They use third parties to track your device performance, analytics, and reports aggregate information.(Again Tracking)
  • They might try to interpret your mobile sessions (means what you do with your device in one session).(Umm, Why?)
  • They will record your username and password of the websites you register and auto-fill them whenever you re-visit those websites. (Data thief, password thief what more should I call it? 🙁 )
  • They will sell your demographic information to advertisers. (Okay, Anything more? )
  • Finally, you can block cookies, by not allowing your browser to accept cookies. So, that means they will directly collect cookies from your browser, like Chrome and the only way to stop it is to ask your browser to stop recording cookies. (Wow!)

Here’s the link to their Cookie Page: Click Here to Visit.

Alright, so it is more or less confirmed that they are using cookies to track each and every move. THIS IS A PRIVACY BREACH.

YOU MAY ALSO LIKE: How to Get Pixel 2 AI Based Portrait Mode on Any Android Device?

More Shady Stuff about MKey:

I looked at OnePlus Forums and there was a Thread related to that specific apk. I also found a Reddit Thread.

And I realized it wasn’t me alone, other users have faced it too.

And I came across some really shocking points. I have listed them below.

  • People who have faced it mostly used VPN for Downloading their OTA. So, some users tried saying that it may be some VPN issue. But why on earth should a VPN be responsible for installing such an app?
  • People who have downloaded the ROM via Official OTA without using any VPN also got it. So, the VPN theory didn’t stand.
  • Also, there were users who have updated or without VPNs and DID NOT GET ANY SUCH APK.
  • Some of those users who didn’t get the MKey Apk initially, got that apk soon after they restarted their device or rebooted.
  • But even then, there were users, who didn’t get the MKey apk initially, also didn’t get it after any such rebooting.
  • So, at the end, no strong theory could be placed on the source for installing that app. Some people got it. Some people didn’t get it. It was so fishy and shocking at the same time.
  • The next strange thing about MKey is about what it does: SMS and Keyboard, both of which are covered by Google and OnePlus already. OnePlus has their dedicated SMS App. Why would they need another third party app for that, which doesn’t look so attractive?

OnePlus Staff Explanation:

The issue was explained by a OnePlus staff Adam Krisko on 1st February 6 am on that Forum.

He said this:

The MKey APK is a font resource that was provided officially for India for local font compatibility needs. This can be uninstalled by users if not needed or wanted, but we are required to provide it.

Okay, at least OnePlus recognizes it. So, indeed it was bundled with OnePlus and had nothing to do with VPN and stuff. So, the source can be traced at least.

But, then comes the next series of questions?

Why does the app track everything we do with our device?

Why would they need to bundle such an app with mysterious permissions when they already have SMS Apps of their own? Regarding the font compatibility, OnePlus supports all regional local fonts.

So, why is OnePlus installing that? Why did he say that ‘they are required to provide it’? Who gave such requirement instructions?

Why does that app work only when we set it as the default SMS App?

Why does it need camera permission or location permission even as an SMS App?

Why didn’t OnePlus mention about that app in their OTA What’s New section? Are they trying to hide something?

What information does the app share with OnePlus or other third parties? Is it anonymous or identifiable?

Does the app store any information on their own server or just locally?

Why didn’t some user not get the app? Why such anomaly in distribution?

Why do only OnePlus 5T users getting this App on Oreo? What about OnePlus 5 or OnePlus 3/3T Users?

And finally, why bundle the app with an OTA Update? Why not put the app to Play Store instead?

The questions continue even now. And it is getting fishier. And with those strange policies, the only thing I would suggest you right now is Uninstalling MKey App from your OnePlus 5T Oreo Build Oxygen OS v5.0.2.

YOU MAY ALSO LIKE: 10+ WhatsApp Tricks to Be A Pro WhatsApp User (Must Try These)

How to Uninstall MKey from OnePlus?

Uninstalling MKey is a straightforward process. Simply go to your applications list, find MKey, clear its data, then change your default SMS App to your earlier settings. Finally, proceed to uninstall the app.

EXCLUSIVE: OnePlus 5T Stable Oreo Update Installs Possible Spyware with Potentially Dangerous Permissions

It uninstalls instantly.

But, I am still skeptical about it. What if some spyware is still on my device and cannot be located?

Another shocking thing here is that the App will come back if you do a Factory Reset, just like it came at the first time. So, I am not at all satisfied.

What to do if I haven’t Upgraded to Oreo on OnePlus?

First and foremost, let me confirm this: Whether or not OnePlus gives a reason for bundling the MKey App, I am confident that the App isn’t required by us at all, for any purposes. Especially when OnePlus has their default messaging app.

So, essentially, you will need to get rid of that app.

If you are not worried about any sensitive data breach, you can simply upgrade to Oreo (no matter you use VPN or not, it is gonna come), and then Uninstall the MKey app right away, without even trying to open it.

I cannot digest the fishy permissions it asks. No, you don’t need it, and I won’t suggest you keeping the app as long as OnePlus doesn’t give a firm reason for that. So, Uninstall it right away.

But, like I said, I am still worried about any hidden spyware inside my device, if you worry about that, or if you have sensitive data inside your device, don’t upgrade. Just remain on Nougat. To be honest, Nougat is smooth and performance wise, you can do pretty much anything on it.

So, just keep using Nougat for some more days until more information is discovered regarding the same.

YOU MAY ALSO LIKE: How to protect yourself from the deadly ‘Ransomware’ Virus?

OnePlus Previous Privacy Breach Incidents:

This isn’t the first time OnePlus is doing this. It has done this earlier also.

At first, some Engineer Mode backdoor vulnerability was left inside OnePlus. After that, OnePlus Clipboard app was discovered sending data to China. And soon after, the OnePlus website came under a Credit Card phishing attack.

Even earlier, OnePlus was caught by XDA for manipulating Performance Score Results. OnePlus apologized to it later on.

So, time and again, OnePlus has been around with some good amount of negativity.

Just like a good company should receive all the praise it deserves, these kinds of experiences also needs to be reported so that no further incidents occur. Hence, I thought of writing up this article for you all. I hope I was able to convey everything about the app to you.

Last Words:

Well, I am a OnePlus user myself and I still love using my OnePlus 5T more than anything. It is a powerhouse, I feel proud to use it. And I never get satisfaction using any other device, other than OnePlus. So, how can imagine how hard is it for me to go through all of this?

But that does not mean I will ignore this issue. It is serious and is potentially harmful to your device, hence letting you know all of this.

Don’t forget to share this post with every OnePlus 5T User and make them aware of it. Use the social share buttons below.

Thank you for reading. See you soon with another interesting update. 🙂

Nirmal Sarkar is a BTech Engineering Student from the city of Joy, Kolkata. He is a part time blogger, and likes to write web articles on Android Stuffs and latest Freebies.

4 Comments
  1. Oh..! That’s alarming. All if them need our data, i doubt ny redmi phone is also collecting such user data. Strict rules should be enforced in our country. A big security threat too.!

  2. Awesome article bro! Well derived and informative 🙂
    OnePlus has to take serious actions on these, hope they gonna do it soon!

    Leave a reply

    WordPress Security