A Dutch Computer Science student discovered the presence of a backdoor that could allow an attacker to silently install any app on Xiaomi phones.
A DutchÂ Computer Science student, Thijs Broenink, who analyzed hisÂ Xiaomi mobile device discovered the presence of a backdoor that could allow an attacker to silently install any app on the phone.
The student decided to investigate the presence ofÂ pre-installed apps and services on the ROM used by hisÂ Xiaomi smartphone trying to discover their purposes. In the past, we have already reported the presence of pre-installed apps that pose a threat to usersâ security and privacy.
In March 2015, theÂ security firm Bluebox discovered pre-installed malware and other security issues with a Xiaomi Mi 4 mobile device.The mobile devices analyzed by the security firm seems to have been tampered with by an unidentified third party.
In August 2014, experts at F-Secure security firm analyzing the new Xiaomi RedMi 1SÂ discoveredÂ that it was sending out to a server located in China a lot of userâs data.
Back to the presentÂ days, theÂ Dutch student noticed a mysterious pre-installed app, dubbedÂ AnalyticsCore.apk, that runs 24Ă7 in the background and it is impossible to remove.
The student decided to ask about the presence of theÂ AnalyticsCore app on the companyâsÂ support forumÂ without success. At this point, Broenink decided to do a reverse engineering of the code and discovered that found that the app checks for a new update from the Xiaomi server every 24 hours.
The app sends out mobile device identification data including Model, IMEI, MAC address, Nonce, Package name as well as signature.
If the app finds on the server more recent apk with the filename âAnalytics.apk,â it will automatically download and install it in the background without user interaction.
How does theÂ AnalyticsCore.apk chack the authenticity of an update file? What happens if an attacker substitute the app with a trojanized version?
âThe question is then: does it verify the correctness of the APK, and does it make sure that it is in fact an Analytics app? If it does not, that means Xiaomi can install any app on your device it wants, as long as itâs named Analytics.apk.â Broenink wrote in aÂ blog post.
Broenink discovered that the update process implemented by Xiaomi lack of validation, this means that hackers can exploit it to deliverÂ a malicious software on the smartphone.
This also means that the Xiaomi firm can silently install any application on its devices by renaming it to âAnalytics.apk.â
âSo it looks like Xiaomi can replace any (signed?) package they want silently on your device within 24 hours. And Iâm not sure when this App Installer gets called, but I wonder if itâs possible to place your own Analytics.apk inside the correct dir, and wait for it to get installed,â Broenink said.
The student hasnât discovered the real purpose of the AnalyticsCore app, it sounds like a sort of backdoor that opens million Xiaomi devices to cyber attack.
Such kind of mechanism could be exploited by intelligence agencies to deliver surveillance software onto millions of Xiaomi devices.
âThis sounds like a vulnerability to me anyhow, since they have your IMEI and Device Model, they can install any APK for your device specifically,âÂ BroeninkÂ added.
Reading the discussion thread on the company forum, it is possible to verify that several users expressed their concerns about the presence of the mysterious app.
âDonât know what purpose does it serve. Even after deleting the file it reappears after some time,â wrote one of the users of the forum.