Xiaomi Mi 4 smartphone with preinstalled malware and much more

The security firm Bluebox discovered a preinstalled malware, many malicious apps, and a series of security holes on the Xiaomi Mi 4 smartphone.

After the episode of Lenovo pre-installed malware, another case is worrying the IT community. This time, security firm Bluebox has discovered pre-installed malware and other security issues with a Xiaomi Mi 4 mobile device.

The situation is quite different from the Lenovo case, when the company was aware of the presence of the spyware, because the mobile device seems to have been tampered with by an unidentified third party.

Bluebox has tried to contact the giant Xiaomi without receiving any response so it decided to publish a report on Thursday.

“Xiaomi is fixing their response process and the device we tested appears to have been tampered in the distribution/retail  process by an unknown 3rd party which we’re researching.  We’re still working with Xiaomi to gain clarification on some findings.” states the update provided in the report.

When the security firms received the researchers first received the Xiaomi mobile device they doubted that is was a legitimate phone from the company, to verify its authenticity they used Xiaomi’s “Mi Identification” app.

Upon further analysis, the experts discovered many other malicious applications preloaded onto the Xiaomi smartphone, including a trojan that allow an attacker to gain complete control of the device, an adware that disguises itself as a verified Google application and many other malicious applications.

“One particularly nefarious app was Yt Service. Yt Service embeds an adware service called DarthPusher that delivers ads to the device among other things.” reports the post. “Other risky apps of note included PhoneGuardService (com.egame.tonyCore.feicheng) classified as a Trojan, AppStats classified (org.zxl.appstats) as riskware and SMSreg classified as malware”

Furthermore, the experts discovered many other disconcerting issues, Xiaomi device resulted vulnerable to every vulnerability the experts scan for (except for Heartbleed), but it was also rooted and had USB debugging mode enabled.

“The USB debugging is especially troublesome because the device says it ships with Android 4.4.4, which should enforce the Android device to manually authorize an unknown connecting computer.” states the post.

“Additionally, we noticed that the device comes rooted. The “su” application does require a security provider to be used on the device (com.lbe.security.miui.su), so the usage of “su” is restricted in some sense, however it shouldn’t exist in a production released build of Android, as it’s a gateway for apps that can access it to do potentially bad things.”

Andrew Blaich from Bluebox explained that the version of Android OS running in the Xiaomi Mi 4 his team analyzed is a non-certified version of the popular Google OS, and it was affected by a number of flaws.

It was curious that that many security flaw the experts discovered were specific to old versions of Android, a circumstance that lead researchers to believe that the OS was resulting from a mix of the last KitKat 4.4.4. and older releases of Android.

By analysis of the signatures of the apps, the experts suspected that the device may have been tampered, because the signatures appear to differ from the manufacturer’s signing key.

On Friday, the experts at Bluebox finally obtained a response from Xiaomi, the company confirmed that it is investigating on the incident.

“We are certain the device that Bluebox tested is not using a standard MIUI ROM, as our factory ROM and OTA ROM builds are never rooted and we don’t pre-install services such as YT Service, PhoneGuardService, AppStats etc. Bluebox could have purchased a phone that has been tampered with, as they bought it via a physical retailer in China. Xiaomi does not sell phones via third-party retailers in China, only via our official online channels and selected carrier stores.” — Hugo Barra, VP International

Barra invites customers to purchase Xiaomi products only from Mi.com and verified stores.

Pierluigi Paganini

(Security Affairs –  Xiaomi, malware )