14 DAY TRIAL // The highly popular Mi4 LTE Android smartphone produced by Xiaomi has been found to be shipped from the factory with serious security risks that range from pre-loaded risky apps to root and a shady flavor of the underlying Android operating system.
The demand for Xiaomi devices has grown lately and the Mi4 LTE smartphone seems to attract a large number of customers. In mid-February, 25,000 units sold out in 15 seconds on India’s online retailer Flipkart.
Apps detected as malware found in default configuration
However, it appears that at least the versions sold in China are filled with enough security problems to make a customer think twice about purchasing it.
Following an initial analysis, security researchers at mobile data security company Bluebox discovered that a unit they bought in China came pre-installed with a set of risky apps, some labeled as malware by antivirus solutions.
One potentially dangerous app was Yt Service, whose purpose is to integrate an adware service called DarthPusher. An app pushing advertisements would not generally ring the alarm, but Bluebox says that Yt Service created the false impression that it was developed by Google, its developer package being named “com.google.hfapservice.”
“In other words, it tricks users into believing it's a ‘safe’ app vetted by Google,” Bluebox said in a blog post on Thursday.
Other shady apps present on the device were PhoneGuardService (com.egame.tonyCore.feicheng), which is detected by some antivirus solutions as a Trojan, and SMSreg, marked as malware in some cases. In total, the researchers say they’ve found six suspicious apps whose behavior is similar to malware, spyware or adware.
Murky version of OS installed
Using Trustable, their mobile security assessment tool, it was discovered that the analyzed Mi4 unit was vulnerable to Masterkey, FakeID, and Towelroot (Linux futex), basically all glitches the utility scans for, except Heartbleed.
Apart from this, the device was rooted and USB debugging mode was turned on. Bluebox reported that the “su” application needed a security provider in order to work on the device; but even so, the risk is still present as cybercriminals could leverage one of the vulnerabilities and take advantage of the root to take complete control over the device.
During the analysis, the researchers observed that although the reported version of the operating system was Android 4.4.4 (Kitkat), it appeared to include elements from earlier releases.
One example was the USB debugging icon, which was taken from Jelly Bean (Android 4.1-4.3.1). Furthermore, some of the vulnerabilities uncovered were specific to earlier versions of Android and have been fixed in Kitkat.
The results of the investigation do not make clear if the OS version used was designed just for testing purposes or it was intended as a consumer release.
Smartphone passes the legitimacy test
Forked Android versions are far from being rare, as a study from ABI Research revealed that in Q4 2014 alone, 40% of all Android shipments were custom variants, which oftentimes come with security risks due to insufficient assessment.
Considering these findings, the researchers thought that the phone they got could have actually been a fake, so they put the theory to the test through various methods, including a utility from Xiaomi specifically created for this purpose. The device passed the legitimacy test.
Bluebox disclosed its results to Xiaomi but the smartphone manufacturer did not reply, so the report was made public.
[UPDATE, March 7]: Xiaomi contacted us and offered an explanation for Bluebox’s findings, saying that the device must have been obtained from an unofficial retailer that tampered with the product.
“We are certain the device that Bluebox tested is not using a standard MIUI ROM, as our factory ROM and OTA ROM builds are never rooted and we don’t pre-install services such as Yt Service, PhoneGuardService, AppStats etc." Kaylene Wong, communications manager for Xiaomi said.
"The phone that Bluebox purchased could have been tampered with as it likely came from an unofficial channel. We only sell via Mi.com, and a small number of select partners such as operators,” she added.
[UPDATE, March 9]: Investigative efforts from Xiaomi and Bluebox revealed that the smartphone analyzed by the security researchers was a high-quality clone of the original.
