Quite unknown to all the faithful hordes its fans, a major flaw was recently discovered to be plaguing millions of Xiaomi devices. The seriousness of the matter can be gauged from the fact that the anomaly could have potentially allowed attackers to remotely install malware into the devices.
The flaw was present in the analytics package in Xiaomi’s MIUI operating system, which if you happen to remember, has been specially built by the company for its smartphones while taking Google’s Android as a base. The flaw was discovered by the IBM X-Force Application Security Research Team which notified Xiaomi in January.
Hinting at the vast number of devices that could have been affected by the flaw, a report by IBM said,
Xiaomi is currently the third-largest smartphone manufacturer in the world, behind Samsung and Apple, in terms of devices shipped. More than 70 million devices were delivered in 2015, and many millions of these may be impacted by this vulnerability
And its not only Xiaomi devices that would have been affected. Considering that its MIUI skin is available and used by various other manufacturers for their phones in favor of the basic Android, many more smartphones were threatened by the flaw.
The flaw carries the name of remote code execution (RCE) vulnerability and as is obvious, allows a man-in-the-middle (MitM) attacker to execute arbitrary code as a highly privileged Android system user, remotely. Meanwhile, the flaw is not limited locally either and was found to be present in various applications that came with MIUI. For example, all applications with the analytics package are vulnerable to remote code execution via Man in the Middle attacks.
So basically, the flaw would let a hacker or attacker inject a JSON response which will force an update upon the system. However, since the requests are sent using an unsecure HTTP protocol, the attacker could very well replace the URL and MD5 hash with those of a malicious APK containing code penned down by the hacker himself.
And considering that there is no cryptographic verification of the update code itself, the analytics package will replace itself with the bad apk leading to catastrophic consequences.
Meanwhile, users are advised to update their devices with the latest firmware as soon as possible to avoid the risk. The method of attack is actually quite common and relatively easy to affect, making it all the more dangerous. Interestingly, although IBM discovered the flaw as early as January its been publicly disclosed only now — probably to ensure that Xiaomi launched a firmware able to correct it.
IBM also says that these type of attacks are becoming far too common and dialogue was needed to prevent their repetition.
We believe that a discussion should take place as to whether any application should have the ability to executeunsigned code via DexClassLoader, dynamic library injection or any other method on the Android platform. The recurring incidents of what are essentially identical bugs might indicate that the platform should consider exerting a great level of control over such activities and change the default policy to block these actions.
For now though, if you have a Xiaomi smartphone, or any device with the MIUI interface, our advice would be to get it a firmware update from an official, verified source as soon as possible. You can also visit IBM’s official post on the topic for more details.