Xiaomi Mi4 LTE Android smartphone shipped with preloaded spyware/adware and a mixed Android OS which is a big security risk says Bluebox, a claim that Xiaomi strongly refutesApps detected as malware found in default configurationYt ServicePhoneGuardServiceForked OS version vulnerable to Masterkey, FakeID, and Towelroot (Linux futex)

Both their statements is appended at the end of the article. Chinese tech major Xiaomi has steadily risen to being one of the top sellers of smartphones worldwide at is at present the 3rd major manufacturer of smartphones. Its smartphones are highly popular in countries like India, China etc. Its latest edition called Mi4 LTE smartphone is already seeing top quality sales with over 25,000 units sold out in just 15 seconds in a flash sale on India’s online retailer Flipkart. However all is not hunkydory with Xiaomi Mi4 LTE smartphone, security researchers at mobile data security company, Bluebox. Bluebox researchers have found two very critical security problems with Xiaomi Mi4 LTE. One of them is the pre-installed Apps which are loaded on the Mi4 which Bluebox says are being flagged as malware. The other problem is that Mi4 sports a forked Android operating system which can be a huge security risk for the users.

Apps detected as malware found in default configuration

To research the security issues with Xiaomi Mi4, Bluebox researchers ordered a Mi4 directly from China. Firsthand investigations revealed that the unit they bought came pre-installed with a set of risky Apps most of which were flagged as malware by antivirus software.

Yt Service

Yt Service is one such App, Bluebox researchers found to be particularly dangerous. Yt Service, whose purpose is to integrate an adware service called DarthPusher, comes preloaded in all Xiaomi Mi4 LTE smartphones. The unassuming adware which is used to push up ads gives a false impression that it has been developed by Google. Bluebox says that Yt Service developer package being named “com.google.hfapservice.” giving the impression that it is legit App developed by Google.

PhoneGuardService

Another of shady apps flagged by antivirus solutions as a Trojan, the PhoneGuardService, has a name which can fool users. It is packaged as com “egame.tonyCore.feicheng.” In addition to PhoneGuardService, Bluebox also found another App called SMSreg and a total of six other Apps which come preloaded on Xiaomi Mi4 LTE but have behaviour similar to a spyware and adware.

Forked OS version vulnerable to Masterkey, FakeID, and Towelroot (Linux futex)

Bluebox said that they discovered the Android version aboard Mi4 to be a sort of mixture of Android Kitkat, Jellybean and even earlier Android versions. Bluebox researchers said they used, Trustable, their mobile security assessment tool, which discovered that the Mi4 LTE was vulnerable to a host of flaws recently discovered like the Masterkey, FakeID, and Towelroot (Linux futex). Bluebox researchers stated that the Mi45 was vulnerable to all the big flaws except Heartbleed. The researchers said that the  “su” application does require a security provider to be used on the device (com.lbe.security.miui.su), so the usage of “su” is restricted in some sense, however it shouldn’t exist in a production released build of Android, as it’s a gateway for apps and could leveraged by cyber criminals to take advantage of the root to take complete control over the device. To showcase the forked example of Android, they said that the USB debugging icon was taken from Jelly Bean (Android 4.1-4.3.1) while other vulnerabilities uncovered by them were specific to earlier versions of Android and have been fixed in Kitkat. Bluebox however made it clear that they did not know the device they were testing was a lab prototype of it was intended as a consumer release. So if you are a buyer or you have already bought the Xiaomi Mi4 LTE, kindly note this facts published by Bluebox and take necessary action to mitigate the problem. To combat this risk, employees and enterprises need to be careful about how they secure data (personal and corporate) on their devices. [ro.build.version.release]: [4.4.4]     This corresponds to Android KitKat and API Level 19 [ro.build.version.sdk]: [17] The API level corresponds to Android Jelly Bean 4.2 [ro.build.tags]: [test-keys] This is usually shown on test or debug builds of software, but conflicts with the tags in the device fingerprint [ro.build.fingerprint]: [Xiaomi/cancro/cancro:4.4.4/KTU84P/KXDCNBH25.0:user/release-keys] One of the possible solutions would be to completely root the device and put your own choice OS aboard it. Kaylene Hong, Communications Manager, Xiaomi reached out to us for this article. Here is what she had to say, 2) IMEI number: Xiaomi after-sales team has confirmed that the IMEI on the device from Bluebox is a cloned IMEI number which has been previously used on other counterfeit Xiaomi devices in China. 3) Software: Xiaomi MIUI team has confirmed that the software installed on the device from Bluebox is not an official Xiaomi MIUI build as our devices do not come rooted and do not have any malware pre-installed. As this device is not an original Xiaomi product, and not running an official Xiaomi MIUI software build, Bluebox’s findings are completely inaccurate and not representative of Xiaomi devices. We believe Bluebox jumped to a conclusion too quickly without a fully comprehensive investigation (for example, they did not initially follow our published hardware verification process correctly due to language barrier) and their attempts to contact Xiaomi were inadequate, considering the severity of their accusations. With the large parallel street market for mobile phones in China, there exists counterfeit products that are almost indistinguishable on the outside. This happens across all brands, affecting both Chinese and foreign smartphone companies selling in China. Furthermore, “entrepreneurial” retailers may add malware and adware to these devices, and even go to the extent of pre-installing modified copies of popular benchmarking software such as CPU-Z and Antutu, which will run “tests” showing the hardware is legitimate. Xiaomi takes all necessary measures to crack down on the manufacturers of fake devices or anyone who tampers with our software, supported by all levels of law enforcement agencies in China. We have so far not received meaningful reports of counterfeit Mi phones outside of China. However, to give our international users peace of mind, an English version of our verification app (that certifies the authenticity of Mi hardware) is in the works. Like all other consumer electronics brands, we always recommend buying Mi phones through authorised channels. Xiaomi only sells via Mi.com, and a small number of Xiaomi trusted partners including mobile operators and select authorised retailers, such as Flipkart in India and others that will be announced in the future. In addition, contrary to what Bluebox has claimed, MIUI is true Android, which means MIUI follows exactly Android CDD, Google’s definition for compatible Android devices, and it passes all Android CTS tests, the process used by the industry to make sure a given device is fully Android compatible. All Xiaomi devices sold in China and international markets are fully Android compatible. Bluebox Labs has been talking with the security team at Xiaomi. The security team did provide some clarified feedback that we had sought out in our original disclosure on the security posture of the MIUI ROM that Xiaomi ships with its devices. The team ran Trustable by Bluebox on the device and received a score of 6.7, a much better score over what Bluebox found with the non-standard MIUI ROM. Additionally, a lot of the discrepancies we found in the ROM are supposedly resolved in the Mi ROM that ships from the factory. While we’re going off verification from the security team at Xiaomi, Bluebox Labs is awaiting some additional devices to arrive in order to carry out our own testing. The lessons learned in this endeavor come down to: responsible disclosure, supply chain, and authentication tools. Firstly, companies receiving responsible disclosure need to be vigilant about checking the accounts they have setup for receiving such alerts and working with researchers appropriately about their findings. Xiaomi has assured us that they have now taken the necessary steps to monitor the account more closely. The Xiaomi security team has also been excellent at providing us access to the information we’ve requested to verify our findings. Secondly, the supply chain in is called into question. Whether or not the device was counterfeit or not the fact remains that consumers are buying devices that have compromised ROMs (either put on legitimate hardware or put on counterfeit hardware) on them that put their data at risk. Finally, the authentication tools used to determine the authenticity of a device need to be drastically improved as suppliers won’t have the time to receive and process dozens of photos per device sold to ascertain the authenticity of their devices or the technical expertise to circumvent the tricks in the software.