Remote Code Execution in MIUI Puts Millions of Xiaomi Android smartphones at risk
MIUI, a third-party Android ROM used in Xiaomi smartphones and used by over 170 million users around the world is affected by a remote code execution flaw that allows potential hackers to take full control of the Xiaomi smartphone.
The flaw, found by IBM X-Force researcher David Kaplan (@depletionmode) lies in the MIUI custom ROM and allows attackers with privileged network access to take full control of the Xiaomi smartphones. MIUI is the flavour of Android (currently based on Android 6.0) developed by Xiaomi. While the MIUI custom ROM is primarily used in Xiaomi smartphones and tablets, it is freely available for download on other devices.
According to Kaplan, the security researchers discovered a flaw that allows for a man-in-the-middle (MitM) attacker to execute arbitrary code as the highly privileged Android system user. Kaplan says that Xiaomi has been informed about the flaw and the flaw has since been patched. IBM strongly recommended that users update their firmware as soon as possible to ensure they are not vulnerable to this remote executive flaw.
IBM researchers found a vulnerability in the way Xiaomi’s MIUI handles updates. The flaw allows a potential hacker to execute code on a target device via a MitM attack. This attack also involves code injection inside the update framework. According to the researchers, the vulnerability resides in the analytics package, which is present in various applications that come with MIUI. All applications with the analytics package are vulnerable to remote code execution via MitM.
The security researchers found that the flaw allows attackers to inject a JSON response to force an update by replacing the URL and md5 hash with those of a malicious Android application package containing malicious code. The matter is further exacerbated by the fact that there are no checks to verify the downloaded updates.
The researchers also found that the ROM app com.cleanmaster.miui had a code injection flaw which can be exploited to gain system-level privileges to the smartphone.
If you are a Xiaomi smartphone/tablet owner, you should update your smartphone to MIUI version 7.2 immediately.