Once again the very popular and the world's third largest smartphone distributor Xiaomi, which had previously been criticized for secretly stealing users’ information from the device without the user's permissions, has been found spreading malware.
The top selling Android smartphone in China, Xiaomi Mi4 LTE,
has been found to be shipped with pre-loaded spyware/adware and a
"forked," or not certified, vulnerable version of Android operating
system on top of that, according to a San Francisco-based
mobile-security company, Bluebox.
Xiaomi, which is also known as
Apple of China, provides an affordable and in-budget smartphones with
almost all features that an excellent smartphone provides. Just like
other Xiaomi devices, Mi4 LTE smartphone seems to attract a large number
of customers with more than 25,000 units sold out in just 15 seconds on
India’s online retailer Flipkart.
Security Researcher Andrew Blaich of Bluebox firm revealed Thursday that the brand new Chinese Xiaomi Mi4 LTE handset appears to be unsafe
to use from the moment you take it out of the box for the first time.
After extensive testing, Blaich found two serious security issues in the
smartphone:
- Pre-installed Apps which are flagged as malware
- Forked, or not certified version of Android operating system which can be a serious security risk for the users
ISSUE 1: PRE-INSTALLED MALWARE APPS
With
the help of several top malware and antivirus scanners, researcher
discovered that the Mi4 LTE smartphone contains six suspicious apps that
were flagged as malware, spyware or adware.
One particularly malicious app, Yt Service,
noticed by Bluebox found to be a piece of adware called DarthPusher,
comes preloaded in all Xiaomi Mi4 LTE smartphones. But, what makes this
app different is that Yt Service disguised its package to look as if it
came directly from Google; something an average Android user would
expect to find on their device.
"This was an interesting find because, though the app was named Yt Service, the developer package was named com.google.hfapservice (note this app is NOT from Google)," Andrew Blaich wrote on a blog post on Thursday.
Other shady apps comes pre-installed on the device are as follows:
- PhoneGuardService (com.egame.tonyCore.feicheng) - flagged by the anti-virus solution as a Trojan that could allow malefactors to hijack the phone. The name of this app is enough to fool users.
- SMSreg - another piece of risky software detected by the anti-virus firm as a Malware.
- AppStats - classified (org.zxl.appstats) as Riskware.
In total, the security researchers discovered six suspicious apps whose behavior is similar to malware, spyware or adware.
ISSUE 2: CUSTOM/FORKED VERSION OF ANDROID ROM
There are two kinds of Custom Android ROMs – ‘compatible’ and ‘non-compatible’.
- Compatible Android forks are based on the Android Open Source Project (AOSP), comply with the Android Compatibility Definition Document (CDD); and pass the Compatibility Test Suite (CTS).
- Non-compatible forks are built on Android Open Source Project (AOSP), but are built to run their own ecosystems.
Android version aboard Mi4 LTE found to be a sort of mixture of Android Kitkat, Jellybean and even earlier Android versions.
Using Trustable, their mobile
security assessment tool, researcher discovered that the analyzed Mi4
unit was vulnerable to a host of security flaws recently discovered like
the Masterkey, FakeID, and Towelroot (Linux futex).
ISSUES 3: MI 4 VULNERABLE TO SEVERAL FLAWS
Bluebox researchers stated that the Mi4 LTE smartphone was vulnerable to all the big vulnerabilities, except Heartbleed bug.
"Not only was the device vulnerable to every vulnerability we scan for (except for Heartbleed which only was vulnerable in 4.1.1), it was also rooted and had USB debugging mode enabled without proper prompting to talk with a connected computer," Blaich explained.
Several conflicting API build properties were also observed, meaning it was "unclear if [the] build of the software was meant for testing or release to consumers."
Bluebox disclosed the issue to
the Xiaomi, which has yet not responded to the security firm's queries,
nor has it acknowledged the device's purported security weaknesses.
So, if you are planning to buy a
brand new Xiaomi Mi4 LTE smartphone, which is no doubt an attractive
phone with all popular smartphone features included in it, you must
think twice before get one.
Yesterday, the latest update of uTorrent version was also accused of bundling Bitcoin cryptocurrency mining malware with popular BitTorrent client.
UPDATE:
Xiaomi spokesperson provided the following official statement to 'The Hacker News' via an email:
"We are investigating
this matter now. There are glaring inaccuracies in the Bluebox blog
post. Official Xiaomi devices do not come rooted and do not have malware
pre-installed. Therefore, we are certain the device that Bluebox tested
is not using a standard MIUI ROM."
"It is likely that the Mi
4 that Bluebox obtained has been tampered with, because it was
purchased from an unofficial channel. We only sell via Mi.com, and a
small number of select partners such as operators."
"Furthermore, contrary to
what Bluebox has claimed, MIUI is true Android, which means MIUI
follows exactly Android CDD, which is Google's definition for Android
devices, and it passes all CTS tests, the tool used to make sure a given
device conforms to CDD, both in China and international markets."
No comments:
Post a Comment