Xiaomi Mi4 comes with spy adware and a forked Android OS claims Bluebox, Xiaomi refutes charges

Xiaomi Mi4 LTE Android smartphone shipped with preloaded spyware/adware and a mixed Android OS which is a big security risk says Bluebox, a claim that Xiaomi strongly refutes

#Update : Xiaomi has reached out to us with their version and informed us that the sample piece tested by Bluebox has not been procured to official Xiaomi channels and may have been adulterated by the third party vendors without Xiaomi’s notice. The same has also been confirmed by Bluebox via an update to their original post

Both their statements is appended at the end of the article.

Chinese tech major Xiaomi has steadily risen to being one of the top sellers of smartphones worldwide at is at present the 3rd major manufacturer of smartphones. Its smartphones are highly popular in countries like India, China etc. Its latest edition called Mi4 LTE smartphone is already seeing top quality sales with over 25,000 units sold out in just 15 seconds in a flash sale on India’s online retailer Flipkart.

However all is not hunkydory with Xiaomi Mi4 LTE smartphone, security researchers at mobile data security company, Bluebox.

Bluebox researchers have found two very critical security problems with Xiaomi Mi4 LTE. One of them is the pre-installed Apps which are loaded on the Mi4 which Bluebox says are being flagged as malware. The other problem is that Mi4 sports a forked Android operating system which can be a huge security risk for the users.

Apps detected as malware found in default configuration

To research the security issues with Xiaomi Mi4, Bluebox researchers ordered a Mi4 directly from China. Firsthand investigations revealed that the unit they bought came pre-installed with a set of risky Apps most of which were flagged as malware by antivirus software.

Yt Service

Yt Service is one such App, Bluebox researchers found to be particularly dangerous. Yt Service, whose purpose is to integrate an adware service called DarthPusher, comes preloaded in all Xiaomi Mi4 LTE smartphones. The unassuming adware which is used to push up ads gives a false impression that it has been developed by Google. Bluebox says that Yt Service developer package being named “com.google.hfapservice.” giving the impression that it is legit App developed by Google.

“In other words, it tricks users into believing it’s a ‘safe’ app vetted by Google,” Bluebox said in a blog post on Thursday.

PhoneGuardService

Another of shady apps flagged by antivirus solutions as a Trojan, the PhoneGuardService, has a name which can fool users. It is packaged as com “egame.tonyCore.feicheng.” In addition to PhoneGuardService, Bluebox also found another App called SMSreg and a total of six other Apps which come preloaded on Xiaomi Mi4 LTE but have behaviour similar to a spyware and adware.

Forked OS version vulnerable to Masterkey, FakeID, and Towelroot (Linux futex)

Bluebox said that they discovered the Android version aboard Mi4 to be a sort of mixture of Android Kitkat, Jellybean and even earlier Android versions. Bluebox researchers said they used, Trustable, their mobile security assessment tool, which discovered that the Mi4 LTE was vulnerable to a host of flaws recently discovered like the Masterkey, FakeID, and Towelroot (Linux futex). Bluebox researchers stated that the Mi45 was vulnerable to all the big flaws except Heartbleed.

“Not only was the device vulnerable to every vulnerability we scan for (except for Heartbleed which only was vulnerable in 4.1.1), it was also rooted and had USB debugging mode enabled without proper prompting to talk with a connected computer,” their blogpost says.

The researchers said that the  “su” application does require a security provider to be used on the device (com.lbe.security.miui.su), so the usage of “su” is restricted in some sense, however it shouldn’t exist in a production released build of Android, as it’s a gateway for apps and could leveraged by cyber criminals to take advantage of the root to take complete control over the device.

To showcase the forked example of Android, they said that the USB debugging icon was taken from Jelly Bean (Android 4.1-4.3.1) while other vulnerabilities uncovered by them were specific to earlier versions of Android and have been fixed in Kitkat.

Bluebox however made it clear that they did not know the device they were testing was a lab prototype of it was intended as a consumer release.

Conflicting build properties

[ro.build.version.release]: [4.4.4]     This corresponds to Android KitKat and API Level 19

[ro.build.version.sdk]: [17] The API level corresponds to Android Jelly Bean 4.2

[ro.build.tags]: [test-keys] This is usually shown on test or debug builds of software, but conflicts with the tags in the device fingerprint

[ro.build.fingerprint]: [Xiaomi/cancro/cancro:4.4.4/KTU84P/KXDCNBH25.0:user/release-keys]

So if you are a buyer or you have already bought the Xiaomi Mi4 LTE, kindly note this facts published by Bluebox and take necessary action to mitigate the problem. To combat this risk, employees and enterprises need to be careful about how they secure data (personal and corporate) on their devices.

One of the possible solutions would be to completely root the device and put your own choice OS aboard it.

Kaylene Hong, Communications Manager, Xiaomi reached out to us for this article. Here is what she had to say,

On March 5 2015, Bluebox published an initial report on their website claiming that a Mi 4 bought in China comes pre-installed with malware. Here’s our response after careful investigation:SUMMARY:- Xiaomi and Bluebox have confirmed that the device Bluebox obtained is a counterfeit product.
– Bluebox’s reported findings are therefore inaccurate and not representative of Mi phones.
– We always recommend our users buy Mi phones only through our official channels, including Mi.com and select partners such as mobile operators and authorised retailers.
– All Mi phones sold around the world are verified to be fully Android compatible.DETAILS:We have concluded our investigation on this topic — the device Bluebox obtained is 100% proven to be a counterfeit product purchased through an unofficial channel on the streets in China. It is therefore not an original Xiaomi product and it is not running official Xiaomi software, as Bluebox has also confirmed in their updated blog post.

1) Hardware: Xiaomi hardware experts have looked at the internal device photos provided to us by Bluebox and confirmed that the physical hardware is markedly different from our original Mi 4.

2) IMEI number: Xiaomi after-sales team has confirmed that the IMEI on the device from Bluebox is a cloned IMEI number which has been previously used on other counterfeit Xiaomi devices in China.

3) Software: Xiaomi MIUI team has confirmed that the software installed on the device from Bluebox is not an official Xiaomi MIUI build as our devices do not come rooted and do not have any malware pre-installed.

As this device is not an original Xiaomi product, and not running an official Xiaomi MIUI software build, Bluebox’s findings are completely inaccurate and not representative of Xiaomi devices. We believe Bluebox jumped to a conclusion too quickly without a fully comprehensive investigation (for example, they did not initially follow our published hardware verification process correctly due to language barrier) and their attempts to contact Xiaomi were inadequate, considering the severity of their accusations.

With the large parallel street market for mobile phones in China, there exists counterfeit products that are almost indistinguishable on the outside. This happens across all brands, affecting both Chinese and foreign smartphone companies selling in China. Furthermore, “entrepreneurial” retailers may add malware and adware to these devices, and even go to the extent of pre-installing modified copies of popular benchmarking software such as CPU-Z and Antutu, which will run “tests” showing the hardware is legitimate.

Xiaomi takes all necessary measures to crack down on the manufacturers of fake devices or anyone who tampers with our software, supported by all levels of law enforcement agencies in China.

We have so far not received meaningful reports of counterfeit Mi phones outside of China. However, to give our international users peace of mind, an English version of our verification app (that certifies the authenticity of Mi hardware) is in the works.

Like all other consumer electronics brands, we always recommend buying Mi phones through authorised channels. Xiaomi only sells via Mi.com, and a small number of Xiaomi trusted partners including mobile operators and select authorised retailers, such as Flipkart in India and others that will be announced in the future.

In addition, contrary to what Bluebox has claimed, MIUI is true Android, which means MIUI follows exactly Android CDD, Google’s definition for compatible Android devices, and it passes all Android CTS tests, the process used by the industry to make sure a given device is fully Android compatible. All Xiaomi devices sold in China and international markets are fully Android compatible.

                                                                                                                                               – Xiaomi

Update: March 8, 2015
Andrew Blaich, Lead Security AnalystAfter in-depth testing, Xiaomi has stated that the device is counterfeit and a very good one at that. It even defeated their verification app initially. The conclusion was arrived after sending about a dozen photographs of a variety of angles and areas of the device that were then reviewed by a team at Xiaomi. They additionally compared several of the other anomalies that Bluebox Labs noted in the original findings report. The level of detail this counterfeit went to look like and act like the real thing was rather extraordinary. It has the same internal structures, battery and labels on the components that are commonly used by people online to determine the authenticity of a device if it’s not powered on[6]. Even the Mi Identification app (AntiFake) that was released by Xiaomi to detect these sorts of situations told us that the device was genuine.

The amount of effort that had to be done to confirm the authenticity of this device goes way beyond what a normal consumer can be expected to do to be assured their purchase is genuine. The version of the MIUI ROM loaded on this device has had some modifications done to even bypass the authentication checks for the AntiFake app. As Bluebox Labs mentioned in the original findings there is a hidden directory on the sdcard called .apk. It is within this hidden directory that some APKs are sitting like CPU-Z and also a version of the AntiFake app. If a user tries to install an app on their phone that corresponds to one of these packages then the app on the sdcard replaces the real app the user attempts to install. This is one method the ROM is using to bypass the verification app. The process can be worked around by removing the version of the APK on the sdcard for the app you want and then replacing it with the real version and then installing the app you want again. We confirmed this by installing the latest AntiFake app. After we got the correct version of the AntiFake app installed on our device we could validate the validity of the device. The device now reports as not legitimate which corroborates the findings from Xiaomi.

Bluebox Labs has been talking with the security team at Xiaomi. The security team did provide some clarified feedback that we had sought out in our original disclosure on the security posture of the MIUI ROM that Xiaomi ships with its devices. The team ran Trustable by Bluebox on the device and received a score of 6.7, a much better score over what Bluebox found with the non-standard MIUI ROM. Additionally, a lot of the discrepancies we found in the ROM are supposedly resolved in the Mi ROM that ships from the factory. While we’re going off verification from the security team at Xiaomi, Bluebox Labs is awaiting some additional devices to arrive in order to carry out our own testing.

The lessons learned in this endeavor come down to: responsible disclosure, supply chain, and authentication tools. Firstly, companies receiving responsible disclosure need to be vigilant about checking the accounts they have setup for receiving such alerts and working with researchers appropriately about their findings. Xiaomi has assured us that they have now taken the necessary steps to monitor the account more closely. The Xiaomi security team has also been excellent at providing us access to the information we’ve requested to verify our findings. Secondly, the supply chain in is called into question. Whether or not the device was counterfeit or not the fact remains that consumers are buying devices that have compromised ROMs (either put on legitimate hardware or put on counterfeit hardware) on them that put their data at risk. Finally, the authentication tools used to determine the authenticity of a device need to be drastically improved as suppliers won’t have the time to receive and process dozens of photos per device sold to ascertain the authenticity of their devices or the technical expertise to circumvent the tricks in the software.