Pierluigi Paganini July 14, 2016

Millions of Xiaomi smartphone are affected by a critical remote code execution flaw that could be exploited by hackers to take over the mobile devices.

Millions of Xiaomi mobile are vulnerable to remote hacking due to a critical remote code execution (RCE) vulnerability that could be exploited by hackers to take over the mobile devices.

The flaw was discovered by the IBM X-Force researcher David Kaplan, it resides in the customization of the Android operating system. It affects versions prior to MIUI Global Stable 7.2 which leverages on Android 6.0, it is important to clarify that Xiaomi has already fixed it.

The MIUI is “the flavor of Android” developed by Xiaomi primary for its use, but MIUI builds are freely available for other vendors.

The vulnerability allows an attacker with privileged network access that shares the same network (i.e. A Wi-Fi connection in a public place), to remotely install a malware on the affected devices.

“The vulnerability we discovered allows for a man-in-the-middle (MitM) attacker to execute arbitrary code as the highly privileged Android system user. It has been remediated by Xiaomi from MIUI Global Stable version 7.2, and IBM strongly recommended that users update their firmware as soon as possible to ensure they are not vulnerable.” reported a blog post published on IBM X-Force.

The experts from IBM noticed the presence of various applications in the analytics package of the MIUI that are vulnerable to RCE. The attacker can exploit an MITM attack to inject a JSON response that was specially crafted to force a malicious update that is executed at a system level. Basically, the attacker replaces the link and MD5 hash to of the legitimate Android app with a malicious one.

“The vulnerability resides in the analytics package, which is present in various applications that come with MIUI. All applications with the analytics package are vulnerable to remote code execution via MitM. We identified at least four vulnerable applications in the MIUI developer Rom version 6.1.8, including the built-in browser app. These had differing sets of privileges and capabilities.”

The vulnerable analytics packages were spotted by the experts in at least four default applications, including the default browser app, in the MIUI builds.

The expert highlighted the lack of a cryptographic verification of the update code, this means that the analytics package will replace itself with the malicious one supplied by the attacker.

“Since there is no cryptographic verification of the update code itself, the analytics package will replace itself with the attacker-supplied version via Android’s DexClassLoader mechanism.” continues the post.

The worst aspect of the story is that the analytics package implements a totally insecure update mechanism, it doesn’t use an HTTPS connection to the server for updates, nor it downloads the package over HTTPS, opening the doors to MITM attacks.

The vulnerability could can a significant impact considering that millions of Xiaomi smartphones are vulnerable to remote hacking.

Xiaomi is the world’s third-largest smartphone maker, in 2015 it has shipped over 70 Million devices and its ROM is ported to over 340 different handsets including Nexus, Samsung, and HTC.

Users must update their firmware to version 7.2 as soon as possible.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Xiaomi, MIUI)