14 DAY TRIAL // A remote code execution (RCE) vulnerability exists in MIUI, Xiaomi's own implementation of the Android operating system, in versions prior to MIUI Global Stable 7.2.
The vulnerability resides in the MIUI analytics component, which various Android apps use to collect data about the way their application is used on the user's device.
According to IBM's Security Intelligence team, this component has a self-update mechanism that can be hijacked via a MitM (Man-in-the-Middle) attack and used to deliver malicious update packages.
MIUI's analytics component uses an HTTP-based self-update mechanism
Because the analytics module does not verify the downloaded package and blindly executes it, an attacker has the opportunity to execute their code in the context and with the permissions of the highly privileged Android SYSTEM user.
The technical side of the problem relies on the fact that the analytics package uses HTTP to query an update server for updates, and then downloads the package, also via HTTP. An attacker can watch for update requests, and use basic spoofing techniques, reply in the name of the server with a fake response.
This response contains links to the APK file the analytics package needs to download and execute. Because the analytics component does not engage in any type of cryptographic verification of the downloaded package, or of the server from where it fetched the file, the attack is trivial to carry out for an experienced threat actor.
Millions of Xiaomi devices are possibly affected
Many Android, iOS and desktop software applications have been exposed in recent months for not using HTTPS to deliver updates. In Xiaomi's case, the situation is dangerous because the company is the third largest smartphone manufacturer in the world, behind Samsung and Apple.
The company shipped over 70 million devices just in 2015 alone, which could now be in danger of being hijacked if the user fails to update to the most recent OS version.
IBM says it identified vulnerable analytics packages in at least four default apps provided with Xiaomi MIUI distributions, one of them being the default browser app.
Researchers informed Xiaomi of the issue this past January, and the company quickly provided a new MIUI update that addressed the vulnerability.