Warning: Millions of Xiaomi Phones Vulnerable to Remote Hacking

in hacker •  8 years ago 

 Millions of Xiaomi smartphones are vulnerable to a dangerous remote code execution (RCE) vulnerability that could grant attackers complete control of handsets.

The vulnerability, now patched, exists in MIUI – Xiaomi's own implementation of the Android operating system – in versions prior to MIUI Global Stable 7.2 which is based on Android 6.0.

The flaw, discovered by IBM X-Force researcher David Kaplan, potentially allows attackers with privileged network access, such as cafe Wi-Fi, to install malware remotely on the affected devices and fully compromise them. 


Researchers found some apps in the analytics package in MIUI, which can be abused to provide malicious ROM updates remotely through a man-in-the-middle attack.

"The vulnerability we discovered allows for a man-in-the-middle attacker to execute arbitrary code as the highly privileged Android 'system' user," researchers say.

Researchers say they discovered vulnerable analytics packages in at least four default apps provided by Xiaomi in its MIUI distributions, one of those apps being the default browser app.

The flaw allows an attacker to inject a JSON response to force an update by replacing the link and MD5 hash with a malicious Android application package containing malicious code, which is executed at the system level. 

 Since there is not any cryptographic verification of the update code, the analytics package (com.xiaomi.analytics) will replace itself with "the attacker-supplied version via Android's DexClassLoader mechanism."

In order words, the analytics package neither uses HTTPS to query an update server for updates, nor it downloads the package over HTTPS, thus allowing attackers to modify the updates.

The custom ROM ships on devices manufactured by developer Xiaomi – World's third largest smartphone maker with over 70 Million devices shipped just last year alone – and is also ported to over 340 different handsets including Nexus, Samsung, and HTC.

Since the company has patched the flaw and released a over-the-air update, users are strongly recommended to update their firmware to version 7.2 as soon as possible in order to ensure they are not vulnerable to this issue that plagues Millions of Xiaomi devices. 

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Congratulations @jokerdarkknight! You have received a personal award!

Happy Birthday - 1 Year
Click on the badge to view your own Board of Honor on SteemitBoard.

For more information about this award, click here

By upvoting this notification, you can help all Steemit users. Learn how here!

Congratulations @jokerdarkknight! You have received a personal award!

2 Years on Steemit
Click on the badge to view your Board of Honor.

Do not miss the last post from @steemitboard:
SteemitBoard World Cup Contest - Home stretch to the finals. Do not miss them!


Participate in the SteemitBoard World Cup Contest!
Collect World Cup badges and win free SBD
Support the Gold Sponsors of the contest: @good-karma and @lukestokes


Do you like SteemitBoard's project? Then Vote for its witness and get one more award!

Congratulations @jokerdarkknight! You received a personal award!

Happy Birthday! - You are on the Steem blockchain for 3 years!

You can view your badges on your Steem Board and compare to others on the Steem Ranking

Vote for @Steemitboard as a witness to get one more award and increased upvotes!