Xiaomi clears allegations of malware on the Mi 4 smartphone
After investigations it was revealed that the smartphone was a counterfeit
Xiaomi has been in and out of troubled waters for some time and here came another one. A recent report stated that Xiaomi’s 2014 flagship MI 4 smartphone was being shipped with a malware onboard. While the test was conducted security company BlueBox, Xiaomi came in to scrutinize the issue, only to rescue its name, completely.
A test conducted by security firm BlueBox stated that the Mi 4 smartphone, from the Chinese brand Xiaomi, was shipping a malware residing inside the firmware. The test claimed that the malware was disguised as Google apps. However, when Xiaomi was sent the report, there was a complete twist to the entire claim.
A report on Slash Gear unfolds the entire story. BlueBox was fooled! According to the Chinese firm Xiaomi, the handset that the security company was testing was a total counterfeit. The photos that were supplied by BlueBox to Xiaomi did not match the handset that ships from the Xiaomi factories. The hardware on the tested phone was slightly different from the original and the IMEI number is also a known clone.
What also was shocking is that the MIUI operating system installed on the said phone was not an official build from Xiaomi. The entire smartphone was a counterfeit, which defeats the purpose of Xiaomi being blamed. Xiaomi has worked closely with BlueBox and both agree that the smartphone in question was a forgery.
Below is the post from BlueBox:
Andrew Blaich, Lead Security Analyst After in-depth testing, Xiaomi has stated that the device is counterfeit and a very good one at that. It even defeated their verification app initially. The conclusion was arrived after sending about a dozen photographs of a variety of angles and areas of the device that were then reviewed by a team at Xiaomi. They additionally compared several of the other anomalies that Bluebox Labs noted in the original findings report. The level of detail this counterfeit went to look like and act like the real thing was rather extraordinary. It has the same internal structures, battery and labels on the components that are commonly used by people online to determine the authenticity of a device if it’s not powered on [6]. Even the Mi Identification app (AntiFake) that was released by Xiaomi to detect these sorts of situations told us that the device was genuine. The amount of effort that had to be done to confirm the authenticity of this device goes way beyond what a normal consumer can be expected to do to be assured their purchase is genuine. The version of the MIUI ROM loaded on this device has had some modifications done to even bypass the authentication checks for the AntiFake app. As Bluebox Labs mentioned in the original findings there is a hidden directory on the SD card called .apk. It is within this hidden directory that some APKs are sitting like CPU-Z and also a version of the AntiFake app. If a user tries to install an app on their phone that corresponds to one of these packages then the app on the SD card replaces the real app the user attempts to install. This is one method the ROM is using to bypass the verification app. The process can be worked around by removing the version of the APK on the SD card for the app you want and then replacing it with the real version and then installing the app you want again. We confirmed this by installing the latest AntiFake app. After we got the correct version of the AntiFake app installed on our device we could validate the validity of the device. The device now reports as not legitimate which corroborates the findings from Xiaomi. Bluebox Labs has been talking with the security team at Xiaomi. The security team did provide some clarified feedback that we had sought out in our original disclosure on the security posture of the MIUI ROM that Xiaomi ships with its devices. The team ran Trustable by Bluebox on the device and received a score of 6.7, a much better score over what Bluebox found with the non-standard MIUI ROM. Additionally, a lot of the discrepancies we found in the ROM are supposedly resolved in the Mi ROM that ships from the factory. While we’re going off verification from the security team at Xiaomi, Bluebox Labs is awaiting some additional devices to arrive in order to carry out our own testing. The lessons learned in this endeavor come down to: responsible disclosure, supply chain, and authentication tools. Firstly, companies receiving responsible disclosure need to be vigilant about checking the accounts they have setup for receiving such alerts and working with researchers appropriately about their findings. Xiaomi has assured us that they have now taken the necessary steps to monitor the account more closely. The Xiaomi security team has also been excellent at providing us access to the information we’ve requested to verify our findings. Secondly, the supply chain in is called into question. Whether or not the device was counterfeit or not the fact remains that consumers are buying devices that have compromised ROMs (either put on legitimate hardware or put on counterfeit hardware) on them that put their data at risk. Finally, the authentication tools used to determine the authenticity of a device need to be drastically improved as suppliers won’t have the time to receive and process dozens of photos per device sold to ascertain the authenticity of their devices or the technical expertise to circumvent the tricks in the software. |