Slashdot Mirror

← Back to Stories (view on slashdot.org)

Millions Of Xiaomi Phones at Risk Of Remotely Installed Malware (zdnet.com)

Posted by msmash on from the security-woes dept.

Zack Whittaker, reporting for ZDNet: Millions of Xiaomi phones are vulnerable to a flaw that could allow an attacker to remotely install malware. The vulnerability, now fixed, was found in the analytics package in Xiaomi's custom-built Android-based operating system. Security researchers at IBM, who found the flaw, discovered a number of apps in the package that were vulnerable to a remote code execution flaw through a man-in-the-middle attack -- one of which would allow an attacker to run arbitrary code at the system-level. In other words, an attacker could inject a link to a malicious Android app package, which is extracted and executed at the system level.

6 of 29 comments (clear)

  1. Are all MediaTek Phones vulnerable? by Zombie+Ryushu · · Score: 2

    Are all MediaTek Phones vulnerable? I have a MediaTek Phone Produced by BLU. I'm wondering if I am vulnerable to this. The issue with BLU Phones is they are are rootable, but Cyanogen Mod does not support them very well. The Particular BLU Studio I have is discontinued.

    Of particular concern is that BLU Phones will soft brick if they are rooted and they OTA update without a complete reflash. My Phone is rooted, so it falls into this category where I can't OTA update it again.

    Re-flashing carries with it the hazard that if the NVRAM of the Phone is wiped out, the Phone loses its IMEI info, Bluetooth, and 802.11 MAC

    1. Re:Are all MediaTek Phones vulnerable? by drinkypoo · · Score: 2

      Of particular concern is that BLU Phones will soft brick if they are rooted and they OTA update without a complete reflash. My Phone is rooted, so it falls into this category where I can't OTA update it again.

      you don't have an unroot? I can not only unroot my moto g trivially, but I can re-lock the bootloader.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  2. Re:News but few here probably have such phones by Anonymous Coward · · Score: 4, Interesting

    A lot of people import Xiaomi phones from China. They offer outstanding value for money and are amazingly high quality for the price.

    I use a Redmi Note 2 Prime which I bought for the equivalent of about £130 a year ago. The 5.5inch 1080p IPS screen is very good, the 13mp camera fives great photographs, and the 2.2GHz 8 core Helio X10 processor more than meets my needs. The battery life is good, and it also has a MicroSD expansion slot, which many phones annoyingly lack. MiUI is also a lot better than Android, except for the fact that they bizarrely chose to disable the mass storage mode when you connect the phone to your computer. Xiaomi are also much better at supporting their phones in the long term, and provide software updates for many years.

    Overall, I really can't understand why more people don't import Xiaomi phones since an equivalent phone in the UK would be about 2.5x to 4x the price.

  3. Re:News but few here probably have such phones by Anonymous Coward · · Score: 4, Funny

    A lot of people import Xiaomi phones from China. They offer outstanding value for money and are amazingly high quality for the price.

    Overall, I really can't understand why more people don't import Xiaomi phones since an equivalent phone in the UK would be about 2.5x to 4x the price.

    Because they come with built in root kits?

  4. Chinese manufacturer by Gojira+Shipi-Taro · · Score: 2

    With Chinese Government mandated backdoors in their "custom" Android build, no doubt.

    Color me SHOCKED.

    --
    "Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
  5. MitM attack in China by Ritz_Just_Ritz · · Score: 2

    IT sure smells like a government mandated "feature" rather than a bug since the Chinese government can easily accomplish MitM attacks on Chinese networks.