Data security firm Bluebox has discovered preinstalled malware and a host of other issues with a Xiaomi Mi 4 device the company tested. Scarier still, the phone seems to have been tampered with by an unidentified third party.
Bluebox first issued a report on Thursday, after reaching out to Xiaomi and not getting a response.
When the researchers first received the phone, they made sure it was legitimately a Xiaomi device using Xiaomi’s “Mi Identification” app. Upon further testing, security researchers found that there were several malicious applications preloaded onto the smartphone, including adware that disguises itself as a verified Google application; trojans, which allow hackers to gain control of the phone; and other high-risk software.
Furthermore, the device was “vulnerable to every vulnerability we scanned for,” wrote Andrew Blaich, Bluebox’s lead security analyst, in a blog post.
Blaich also said that Mi 4’s operating system is a non-certified version of Android and is therefore subject to a number of flaws. Some of the bugs and security holes his researchers discovered were specific to old Android software, not its current release, leading them to believe that the OS was a mashup between the new KitKat 4.4.4. and an older form of Android. Other issues within the API build made the researchers unsure whether the device was meant for testing or consumer use.
There was also suspicion that the device may have been tampered with, because some of the apps held signatures that differed from the manufacturer’s signing key.
On Friday, the firm finally heard back from Xiaomi.
“We are certain the device that Bluebox tested is not using a standard MIUI ROM, as our factory ROM and OTA ROM builds are never rooted and we don’t pre-install services such as YT Service, PhoneGuardService, AppStats etc. Bluebox could have purchased a phone that has been tampered with, as they bought it via a physical retailer in China. Xiaomi does not sell phones via third-party retailers in China, only via our official online channels and selected carrier stores.” — Hugo Barra, VP International
Barra went on to say that the company was investigating why it took Xiaomi so long to respond to Bluebox’s initial message. He also said that customers should only purchase Xiaomi products from Mi.com and the select verified stores that the company works with. However, Blaich seemed unimpressed by the response.
“If it’s this easy to modify the device in the retail chain, it could also be modified in transit, even when purchased from mi.com,” he wrote, and then referenced a recent article from Der Spiegel that demonstrated how U.S. intelligence officials are able to intercept computers before they reach their destination and load them with malware — a more modern form of wiretapping. The thought being, if Xiaomi smartphones are already getting hacked at the retail level, they may be vulnerable to more complex attacks.
Within the report, Blaich notes that the more popular a device is, the more frequently it’s attacked. Xiaomi already has 100 million people on its MIUI platform and has plans to launch in the U.S. this year, which means the number of Xiaomi users is only going up.