14 DAY TRIAL // Attackers can hijack Xiaomi Mi4 devices, and possibly Redmi handsets, due to the improper way Xiaomi handles update procedures for a built-in app called AnalyticsCore.
All OEMs pack a suite of bloatware apps with their devices. One of the apps that Xiaomi includes with its bastard Android version is the AnalyticsCore which, judging by its name, is obviously a package for collecting data about device usage.
Dutch security researcher Thijs Broenink, who blogged about this issue two days ago, says the app contains code that checks for a new version every 24 hours.
Attackers could replace the update package with their own APK
If the app finds a new version on the Xiaomi home servers, it will download this version and run it on the user's device under a user/app with high privileges.
Broenink says the app doesn't check the validity or source of the downloaded APK, which opens the door for possible on-device attacks.
Malware present on the user's phone could watch when this file is downloaded, or place it in a special app folder and have it installed by the automatic update procedure.
"It seems like there indeed is no validation on what APK is getting installed. So it looks like Xiaomi can replace any (signed?) package they want silently on your device within 24 hours," the researcher also suggested. Is this a backdoor to your Xiaomi device? Probably not. But it shouldn't be there either.
On-device and MitM attacks are both possible
Furthermore, the AnalyticsCore app downloads updates from an HTTP URL, exposing itself and its users to Man-in-the-Middle attacks.
"One can intercept the [download] request on a public hotspot and deliver a modified APK file," Broenink said in a Twitter conversation. "But yes, a MitM seems like a plausible scenario."
In his blog post, the Dutch researcher recommends that users block any network requests from the phone to the xiaomi.com domain, just to be safe.
Broenink has not filed a bug report with Xiaomi about his discovery. Softpedia has reached out to Xiaomi to inform the company about the researcher's findings and for additional comment on this issue.
UPDATE: Xiaomi has responded to Broenink's research with the following statement on the security of Mi4 and other devices where the AnalyticsCore package is deployed.
“ AnalyticsCore is a built-in MIUI system component that is used by MIUI components for the purpose of data analysis to help improve user experience, such as MIUI Error Analytics. As a security measure, MIUI checks the signature of the Analytics.apk app during installation or upgrade to ensure that only the APK with the official and correct signature will be installed. Any APK without an official signature will fail to install. As AnalyticsCore is key to ensuring better user experience, it supports a self-upgrade feature. Starting from MIUI V7.3 released in April/May, HTTPS was enabled to further secure data transfer, to prevent any man-in-the-middle attacks. ”