A computer science student and security enthusiast has discovered the presence of a backdoor in Xiaomi Mi4. The backdoor could allow an attacker - or Xiaomi itself - to silently install any app on the phone.
Thijs Broenink analyzed his Xiaomi mobile device to investigate the presence and purpose of pre-installed apps and services. All OEMs pack a suite of built-in apps that are delivered with the devices. But, we have seen multiple instances in the past where Xiaomi was discovered pre-installing malware on its mobile devices. Broenink has now discovered that attackers can hijack Xiaomi Mi4 and possibly Redmi handsets due to Xiaomi's handling of a built-in APK called AnalyticsCore.
AnalyticsCore.apk is a package for collecting data about device usage, which runs in the background. The apk reappeared back for the researcher when he tried to delete it. Broenink wrote on the company's support forum asking about the purpose of this app. Upon getting no response, he decided to reverse engineer the code. Broenink discovered that the app sends device identification information, including phone's IMEI, model, MAC address, and more such data.
MitM attacks are also a possibility
The researcher also found that the app checks for a new update from the Xiaomi server every 24 hours. If the app finds a more recent apk with the filename “Analytics.apk,” it will automatically download and install it without any user interaction.
This is where the problem begins. How does the AnalyticsCore.apk check the authenticity of this update file? What if an attacker replaces this app with a trojanized version having the exact same name?
"The question is then: does it verify the correctness of the APK, and does it make sure that it is in fact an Analytics app? If it does not, that means Xiaomi can install any app on your device it wants, as long as it’s named Analytics.apk." Broenink wrote in a blog post.
Broenink found that there is no validation implemented by Xiaomi to check which apk is being installed on the user's device. This means that hackers can exploit this loophole to deliver malicious software to millions of Xiaomi handsets. Not only hackers but Xiaomi itself can silently install any application on its devices without any user interaction.
So it looks like Xiaomi can replace any (signed?) package they want silently on your device within 24 hours.
If that wasn't enough of a security nightmare, AnalyticsCore app downloads updates over an HTTP connection exposing users to MitM attacks. "One can intercept the [download] request on a public hotspot and deliver a modified APK file," Broenink said. "But yes, a MitM seems like a plausible scenario."
Xiaomi's response to these allegations
Xiaomi has given the following statement to the media. The firm confirmed that any APK without an official signature will fail to install. However, it didn't rebut the claims that the company itself could install anything it wants in the background without user interaction.
AnalyticsCore is a built-in MIUI system component that is used by MIUI components for the purpose of data analysis to help improve user experience, such as MIUI Error Analytics.
As a security measure, MIUI checks the signature of the Analytics.apk app during installation or upgrade to ensure that only the APK with the official and correct signature will be installed.
Any APK without an official signature will fail to install. As AnalyticsCore is key to ensuring better user experience, it supports a self-upgrade feature. Starting from MIUI V7.3 released in April/May, HTTPS was enabled to further secure data transfer, to prevent any man-in-the-middle attacks.
In the meantime, researchers have suggested users to block all connections to Xiaomi domains using a firewall app.