Skip to main content

Xiaomi Can Silently Install Any App On Your Android Phone Using A Backdoor

By Unknown



Do you own an Android Smartphone from Xiaomi, HTC, Samsung, or OnePlus?

If yes, then you must be aware that almost all smartphone manufacturers provide custom ROMs like CyanogenMod, Paranoid Android, MIUI and others with some pre-loaded themes and applications to increase the device's performance.

But do you have any idea about the pre-installed apps and services your manufacturer has installed on your device?, What are their purposes? And, Do they pose any threat to your security or privacy?

With the same curiosity to find answers to these questions, a Computer Science student and security enthusiast from Netherlands who own a Xiaomi Mi4 smartphone started an investigation to know the purpose of a mysterious pre-installed app, dubbed AnalyticsCore.apk, that runs 24x7 in the background and reappeared even if you delete it.

Xiaomi is one of the world's largest smartphone manufacturers, which has previously been criticized for spreading malware, shipping handsets with pre-loaded spyware/adware and forked version of Android OS, and secretly stealing users' data from the device without their permission.

Xiaomi Can Silently Install Any App On your Device

After asking about the purpose of AnalyticsCore app on company’s support forum and getting no response, Thijs Broenink reverse engineered the code and found that the app checks for a new update from the company's official server every 24 hours.

While making these requests, the app sends device identification information with it, including phone's IMEI, Model, MAC address, Nonce, Package name as well as signature.

If there is an updated app available on the server with the filename "Analytics.apk," it will automatically get downloaded and installed in the background without user interaction.

Now the question is, Does your phone verify the correctness of the APK, and does it make sure that it is actually an Analytics app?

Broenink found that there is no validation at all to check which APK is getting installed to user's phone, which means there is a way for hackers to exploit this loophole.

This also means Xiaomi can remotely and silently install any application on your device just by renaming it to "Analytics.apk" and hosting it on the server.

Hackers Can Also Exploit This Backdoor

Since the researcher didn't find the actual purpose of the AnalyticsCore app, neither on Googling nor on the company's website, it is hard to say why Xiaomi has kept this mysterious "backdoor" on its millions of devices.

As I previously said: There is no such backdoor that only its creator can access.

So, what if hackers or any intelligence agency figure out how to exploit this backdoor to silently push malware onto millions of Xiaomi devices within just 24 hours?

Ironically, the device connects and receive updates over HTTP connection, exposing the whole process to Man-in-the-Middle attacks.

"This sounds like a vulnerability to me anyhow, since they have your IMEI and Device Model, they can install any APK for your device specifically," Broenink said.

Even on the Xiaomi discussion forum, multiple users have shown their concerns about the existence of this mysterious APK and its purpose.

"Don't know what purpose does it serve. Even after deleting the file it reappears after some time," one user said.

Another said, "if I go to battery usage app, this app is always at the top. It is eating away at resources I believe."

How to Block Secret Installation? As a temporary workaround, Xiaomi users can block all connections to Xiaomi related domains using a firewall app.

No one from Xiaomi team has yet commented on its forum about the question raised by Broenink. We'll update the story as soon as we heard from the company.

Meanwhile, if you are a Xiaomi user and has experienced anything fishy on your device, hit the comments below and let us know.

Official Statement From Xiaomi

A Xiaomi spokesperson has reached out The Hacker News with an official statement for the claims made by Thijs Broenink about a backdoor that let hackers, as well as Xiaomi itself, to secretly install any application on the millions of affected devices, saying:

"AnalyticsCore is a built-in MIUI system component that is used by MIUI components for the purpose of data analysis to help improve user experience, such as MIUI Error Analytics."

Although the company did not deny or comment anything about its ability to automatically install any app onto your device in the background without your interaction, the spokesperson has clarified that hackers would not be able to exploit this "self-upgrade" feature.

"As a security measure, MIUI checks the signature of the Analytics.apk app during installation or upgrade to ensure that only the APK with the official and correct signature will be installed," the representative added.

"Any APK without an official signature will fail to install. As AnalyticsCore is key to ensuring better user experience, it supports a self-upgrade feature. Starting from MIUI V7.3 released in April/May, HTTPS was enabled to further secure data transfer, to prevent any man-in-the-middle attacks."

We have further reached out Xiaomi for a comment on its ability to auto-install apps without user's interactions.
Labels:

Comments

Post a Comment

Popular posts from this blog

Healthy Lifestyle : Greening The Cleaning Eco-friendliness

By Unknown
Time to clean your home, but before you start you have to go through the preparation ritual, opening all windows so that chemical fumes would air out. Cleaning with industrial cleaning products could mean that you are actually bringing in more poison than you are trying to get rid of. Switching to green cleaning will not only save you some money, but it will also make your home feel fresh. If you worry about green cleaning not being efficient enough just because it is missing antibacterial properties, guess again. Most of your household items can be doubled as cleaning agents that you can safely use around the house. Baking soda Everyone has baking soda lying around, it is a very common ingredient that you can get for little money. When mixed with simple water, it cleans miraculously, even the toughest stains have a hard time. You can use baking soda on almost all surfaces that you can find around your house, without damaging anything. For the hard to reach places, you can...
Post a Comment
Read more

Chef Vaibhav Mahajan Talks About His Delicious Journey

By Unknown
"A whole lot of magic is cooked up in kitchen." Chef Vaibhav Mahajan, India's one best-known culinary expert who began his journey 10 years ago with well-regarded ITC Hotels to polish his culinary skills in the famed kitchens under the watchful guidance of its culinary masters. The 32-year-old chef is a part of Zee Khana Khazana, India’s premium 24-hour Food Channel has several syndicated shows on international cuisines along with food secrets of India. Mahajan is also hosting 'Roti and Rice'  featuring simple yet lip smacking recipes by using healthy ingredients as well as exotic recipes from across the world.   Vaibhav has multiple feathers in his hat, he is a Chef... Food Stylist... Culinary Consultant... Host... and (Food & Culinary) Educationist .   Did we mentioned that   Mr. Mahajan’s area of expertise isn’t restricted to the above list? He is don't hesitate in trying out new things like:- Creating and developing syllabus and content for t...
Post a Comment
Read more

SAMI LABS RECOGNIZED BY THE UNIVERSITY OF MYSORE AS A RESEARCH CENTRE FOR CONDUCTING Ph.D. PROGRAMMES

By Rini Srivastava
Bangalore-based Indian Multinational Health Science Company, Sami Labs Ltd, which manufactures and markets phytonutrients and standardized herbal extracts, specialty fine chemicals, and organic intermediates used in the nutritional, dermaceutical and food industries, has affiliation with the University of Mysore to facilitate the earning of Doctorate degrees for researchers. The University of Mysore has approved Sami Labs Ltd as a Research Centre by recognizing several of Sami Labs’ senior scientists as guides under whose supervision aspirants can earn a Ph.D. This opportunity will be offered to employees who have served for more than 5 years with the organization. This program at the Research and Development arm of the conglomerate Sami/Sabinsa Group, fully equipped with the most ultramodern equipment, has the goal of rewarding Doctorate degrees to the aspirants in the specialized fields of Biology, Chemistry, Biotechnology and Biochemistry. As per University norms, the cours...
Post a Comment
Read more