Dutch student discovered a backdoor that could allow attackers to install any app on Xiaomi phones
It’s not surprising if you’re using a Xiaomi phone instead of a iPhone or Samsung, you aren’t the only one. According to International Data Corporation (IDC), in October 2014, Xiaomi, the biggest smartphone manufacturer in China, was also the third largest smartphone maker in the world, following Samsung and Apple Inc., and followed by Lenovo and LG. Xiaomi became the largest smartphone vendor in China in 2014, having overtaken Samsung, according to an IDC report.
Unlike Tencent, another Chinese company who has been struggling with its globalization plans due to uses’ suspicion of censorship and surveillance, Xiaomi is undoubtedly quite successful in expanding its user base oversea. However, a recent report by a Dutch computer science student may have confirmed some of the oversea users’ suspicions of the existence of surveillance in products manufactured by Chinese tech companies.
Thijs Broenink, a CS student and an owner of Xiaomi phone himself, analyzed his mobile device and discovered the presence of a backdoor that could allow an attacker to silently install any app on the phone.
The student then decided to reverse engineer the code and discovered that that the app checks for a new update from the Xiaomi server every 24 hours. The app sends out mobile device identification data including Model, IMEI, MAC address, Nonce, Package name as well as signature.
If the app finds on the server more recent apk with the filename “Analytics.apk,” it will automatically download and install it in the background without user interaction.
“If you own a Xiaomi device yourself, you might want to block all access to Xiaomi related domains, because by far this isn’t the only request to a Xiaomi site.” wrote Broenink in his blog.
This is not the first time Xiaomi phones have been found to have privacy and security concerns.
In August 2014, experts at F-Secure security firm analyzing the new Xiaomi RedMi 1S discovered that it was sending out users’ data to a servers located in China.