Slashdot Mirror
Millions Of Xiaomi Phones at Risk Of Remotely Installed Malware (zdnet.com)
Zack Whittaker, reporting for ZDNet: Millions of Xiaomi phones are vulnerable to a flaw that could allow an attacker to remotely install malware. The vulnerability, now fixed, was found in the analytics package in Xiaomi's custom-built Android-based operating system. Security researchers at IBM, who found the flaw, discovered a number of apps in the package that were vulnerable to a remote code execution flaw through a man-in-the-middle attack -- one of which would allow an attacker to run arbitrary code at the system-level. In other words, an attacker could inject a link to a malicious Android app package, which is extracted and executed at the system level.
Are all MediaTek Phones vulnerable? I have a MediaTek Phone Produced by BLU. I'm wondering if I am vulnerable to this. The issue with BLU Phones is they are are rootable, but Cyanogen Mod does not support them very well. The Particular BLU Studio I have is discontinued.
Of particular concern is that BLU Phones will soft brick if they are rooted and they OTA update without a complete reflash. My Phone is rooted, so it falls into this category where I can't OTA update it again.
Re-flashing carries with it the hazard that if the NVRAM of the Phone is wiped out, the Phone loses its IMEI info, Bluetooth, and 802.11 MAC
Given how Xiaomi only sells their phones in Asia, I'm sure that the 1% or less of Slashdotters who live in a place where Xiaomi actually sells their phones and on top of that actually have a Xiaomi phone instead of a competitor's phone thank you.
Never heard of this manufacturer. Are they used by any US carriers or is it mostly a Chinese brand?
I have one, and since I am writing what looks to me right now to be the 8th post here, 12.5% of posters have a Xiaomi!
On the more serious side, I ordered mine (I live in the UK) from a Chinese seller who has a warehouse in the EU, and I know a few other people who ordered the same way (whether they are in UK, Greece, Netherlands etc).
Specifically, I bought the Mi4 a year ago for a little over $200, i.e. less than half the cost of other flagship phones with comparable (or sometimes less) specs. Naturally, it came full of bloatware/spywhere, on a Xiaomi you can actually open a browser, download a clean image from the manufacturer website, restart and have it clean-install just like that, not even need of a PC. Oh, and it has dual-boot, keeping a "clean" OS version in case you run into trouble.
Overall it blows away my previous Samsung (which still cost more than the Xiaomi last year, even second hand!!) in every aspect, including - believe it or not - manufacturer support, since you have immediate access to each (of the frequent) new version of the OS for what it seems like at least some years after release of a Xiaomi phone. It is an amazing value and I don't think I'll ever spend much more than $200 on a phone again...
Caveat: Chinese resellers will install spyware (not only on Xiaomi), so clean install once you get a phone!
Violence is the last refuge of the incompetent. Polar Scope Align for iOS
With Chinese Government mandated backdoors in their "custom" Android build, no doubt.
Color me SHOCKED.
"Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
IT sure smells like a government mandated "feature" rather than a bug since the Chinese government can easily accomplish MitM attacks on Chinese networks.
Are you fucking surprised that a Chinese phone would have a backdoor?!?!
How is this news when the phone itself is infested with malware/spyware from factory to begin with?
I got a Xiaomi Mi 5 smartphone a while ago (bought via HonorBuy) and found out that the reseller had put a hacked (internationalised) Chinese ROM on my phone. This meant that my phone would not be getting any official Xiaomi updates, let alone frequent updates from the reseller.
To solve this I had to create a Xiaomi account, ask Xiaomi permission to unlock bootloaders on their phones (received this after a few days) and perform a fastboot upgrade to the latest available Xiaomi international ROM.
After this I can update to the latest international ROM without issues, fortunately, which currently is 7.5.2.
Site & blog: http://www.mayaposch.com
Ha ha, that's hilarious! Errr, I mean, "How awful!!"
Just cruising through this digital world at 33 1/3 rpm...
Don't use THEIR spyware OS... use OUR spyware OS instead since you already ignore our spyware in our spyware OS based on lots of negative advertising.
rinse lather repeat.
Millions of Xiaomi phones are vulnerable to a flaw that could allow an attacker to remotely install malware.
Do you mean built-in back doors can be used to install malware other than spy tools mandated by the Chinese government?! Color me shocked.
I was just reading the analysis of the Hummingbad malware. And it has a number of tricks. Once it rootkit's your device, it side loads some libraries into the Google Play store app, it can then use them to silently download more compromised apps . In the hummingbad case they are really doing it for financial gain , getting the referrer click fee. However I was quite surprised at how easy the playstore could be compromised. I'm very surprised that google doesn't have this running in it's own sandbox.