- Jul 22, 2014
- 2,525
Attackers can hijack Xiaomi Mi4 devices, and possibly Redmi handsets, due of the improper way Xiaomi handles updates procedures for a built-in app called AnalyticsCore.
All OEMs pack a suite of bloatware apps with their devices. One of the apps that Xiaomi includes with its bastard Android version is the AnalyticsCore, which by its name, is obviously a package for collecting data about device usage.
Dutch security researcher Thijs Broenink, who blogged about this issue two days ago, says the app contains code that checks for a new version every 24 hours.
Attackers could replace the update package with their own APK
If the app finds a new version on the Xiaomi home servers, it will download this version and run it on the user's device under a user/app with high privileges.
Broenink says the app doesn't check the validity or source of the downloaded APK, which opens the door for possible on-device attacks.
Malware present on the user's phone could watch when this file is downloaded, or place it in a special app folder and have it installed by the automatic update procedure.
"It seems like there indeed is no validation on what APK is getting installed. So it looks like Xiaomi can replace any (signed?) package they want silently on your device within 24 hours," the researcher also suggested. Is this a backdoor too your Xiaomi device? Probably not. But it shouldn't be there either.
On-device and MitM attacks are both possible
Furthermore, the AnalyticsCore app downloads updates from an HTTP URL, exposing itself and its users to Man-in-the-Middle attacks.
"One can intercept the [download] request on a public hotspot and deliver a modified APK file," Broenink said in a Twitter conversation. "But yes, a MitM seems like a plausible scenario."
In his blog, the Dutch researcher recommends that users block any network requests from the phone to the xiaomi.com domain, just to be safe.
Broenink has not filed a bug report with Xiaomi about his discovery. Softpedia has reached out to Xiaomi to inform the company about the researcher's findings and for additional comment on this issue.
It's bloatware, collects data and it's unsafe.....
All OEMs pack a suite of bloatware apps with their devices. One of the apps that Xiaomi includes with its bastard Android version is the AnalyticsCore, which by its name, is obviously a package for collecting data about device usage.
Dutch security researcher Thijs Broenink, who blogged about this issue two days ago, says the app contains code that checks for a new version every 24 hours.
Attackers could replace the update package with their own APK
If the app finds a new version on the Xiaomi home servers, it will download this version and run it on the user's device under a user/app with high privileges.
Broenink says the app doesn't check the validity or source of the downloaded APK, which opens the door for possible on-device attacks.
Malware present on the user's phone could watch when this file is downloaded, or place it in a special app folder and have it installed by the automatic update procedure.
"It seems like there indeed is no validation on what APK is getting installed. So it looks like Xiaomi can replace any (signed?) package they want silently on your device within 24 hours," the researcher also suggested. Is this a backdoor too your Xiaomi device? Probably not. But it shouldn't be there either.
On-device and MitM attacks are both possible
Furthermore, the AnalyticsCore app downloads updates from an HTTP URL, exposing itself and its users to Man-in-the-Middle attacks.
"One can intercept the [download] request on a public hotspot and deliver a modified APK file," Broenink said in a Twitter conversation. "But yes, a MitM seems like a plausible scenario."
In his blog, the Dutch researcher recommends that users block any network requests from the phone to the xiaomi.com domain, just to be safe.
Broenink has not filed a bug report with Xiaomi about his discovery. Softpedia has reached out to Xiaomi to inform the company about the researcher's findings and for additional comment on this issue.
It's bloatware, collects data and it's unsafe.....
