Slashdot Mirror
Xiaomi Can Silently Install Any App On Your Android Phone Using A Backdoor (thehackernews.com)
Xiaomi, the Chinese smartphone manufacturer many refer to as the "Apple of China," can silently install any app on your device, according to a Computer Science student and security enthusiast from the Netherlands. Thijs Broenink started investigating a mysterious pre-installed app, dubbed AnalyticsCore.apk, that constantly runs in the background and reappears even if you try and delete it. The Hacker News reports: After asking about the purpose of the AnalyticsCore app on the company's support forum and getting no response, Thijs Broenink reverse engineered the code and found that the app checks for a new update from the company's official server every 24 hours. While making these requests, the app sends device identification information with it, including the phone's IMEI, Model, MAC address, Nonce, Package name as well as signature. If there is an updated app available on the server with the filename "Analytics.apk," it will automatically get downloaded and installed in the background without user interaction. Broenink found that there is no validation at all to check which APK is getting installed to a user's phone, which means there is a way for hackers to exploit this loophole. This also means Xiaomi can remotely and silently install any application on your device just by renaming it to "Analytics.apk" and hosting it on the server. Ironically, the device connects and receives updates over HTTP connection, exposing the whole process to Man-in-the-Middle attacks."
Ironically, the device...
I think you mean predictably.
This "backdoor" they talk about is called "priv-app" system. Basically it can bypass the system's dialog that asks whether an app can be installed. Smartphones with play store should be affected just as well.
to "already has installed"
... who would expect something like that from a company in china... also Google can do the *exact* same thing...
What a shocker, another Chinese hardware manufacturer with crap security and built in backdoor and/or spyware!
If you don't like these buy your computer hardware from some other country... oh wait, everything is made in China.
So I can run an free wifi network and man-in-the-middle anyone with a Xaiomi phone who connects to it and install anything I want on their phone.
That's what you get from a wholly-Chinese company.
And no, using Chinese Contract Manufacturing is NOT the same. Contract Manufacturers don't control the firmware, nor have the signing keys or software distribution abilities.
Of course they can, and are probably mandated by their assigned CCP official.
TFA and TFS both conveniently neglect to mention that Xiaomi Can Silently Install Any App On Your Android Phone... if your Android phone is from Xaiomi.
Which is something like 5% of worldwide share. Focused primarily in China.
does Android have a hosts file?
Xaomi is easy to root and Analytics is the first app I delete
A Chinese firm predictably acts without integrity or honor, and this is considered news?
Xiaomi, the Chinese smartphone manufacturer many refer to as the "Apple of China," can silently install any app on your device
No, they can't. They might be able to silently install any app on devices they manufactured, but my Android phone doesn't know who or what Xiaomi is. Samsung might be able to silently install something on my phone, but Xiaomi sure as hell can't.
Clickbait trash title and the same phrasing repeated in the summary.
So you are telling me that xiaomi can silently install apps, while google, HTC, Sony, Samsung,... can't? Wake up and follow the white rabbit.
I gave up with the idea of an useful sig...
And anybody and anything that half-way looks at your phone. Why doesn't the CFAA apply to these companies forcibly installing unwanted software on my pocket computer and making it impossible to uninstall that software?
Wondering what data that their app will be sending back to HQ.
Why isn't there user-controlled write-protect on phones to prevent this sort of thing? You don't need to be able to install software on your goddamned phone so often that it needs to be in read/write mode all the time.
Of course my question is rhetorical and the answer is obvious: smartphones are just surveillance and data collection devices. Read my new sigline, it says it all.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
..And collect that $200,000 bounty
Now, if you'll excuse me, I have backups to corrupt.
I just can't understanding not doing HTTPS/HSTS.
Unfortunately you probably lost 90% of your audience at "think."
So, if I understand this story correctly, Xiaomi is just doing what those benevolent western tech companies do; except their implementation is absurdly shoddy.
The total lack of package validation or SSL is pretty amateur hour; but the fact that your phone's vendor never really loosens its grip(until the day it gets bored of providing updates and just pretends it never sold the device) isn't something that started with sinister Chinese intrigue. "Google Play Services" can probably afford better software engineers; but it has capabilities at least as expansive.
It might not be totally silent, but eventually if you have one of recent Sammy phones, you get persistent notifications that will not go away until you update "Samsung Apps" (it's own app store). A single press of that button and the app immediately installs without any sort of permission usage description or whatever. Maybe they don't do it over plain http, but they can still do what they want server side.
And about this particular case, I wouldn't jump all my guns, because I doubt the source can prove all his claims: code that performs all these tasks can download an apk but is it actually using an install command on it? It can just be using some form of upgrade like what is available in vanilla Android, which would prevent a lot of bad things happening such as different validation keys. Also, the apks themselves might have to be signed by the company before even running the command, preventing anyone without this private key from doing so to modified apks. All in all I believe explanations are in order, but this only goes to show the big problem that is buying ANY platform that does not provide the source of the underlying OS and preinstalled, privilleged services on the device, including but not restricted to: Sammy, Xiaomi, HTC, Apple, Huawei, Nokia, Lenovo, Motorola, Siemens, Lg, Sony, Archos, even Google. And from any country. The user simply doesn't know what's going on, but he does place his trust in the closed source by signing privacy and end-user agreements, so there's that. Unless you're buying something like a CM supported device and/or install it on your phone, there's not much you should be amazed about. It's not hacking, it's power abuse, but you do give it to them.
For instance, I would love to see someone explain me the difference of Google itself spicing up a random Play Store apk into something the user is not expecting. What is the difference? It might even be something that fails to pass Google's validation and enters their store contaminating whoever gets their curated software. There have always been viruses in Play and we all know it, it's no novelty, nothing is perfect. What's so different from Xiaomi really? Can't we trust they won't install decent software?
We see a lot of criticism on the tech industry to chinese companies. I believe this is highly unfounded.
Because the licensing agreement that you didn't bother to read said they can remotely update the software on your device at any time and without notice to you.
If it bothers you invest in a Nexus or another device with an unlockable bootloader and install the open source ROM of your choice. If you wish, you can even fly without the Google Play framework, using F-Droid and/or sideloading your own APKs. It's entirely possible to have a completely open source Android device if you so desire.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
I don't see the running process or the file that is supposed to be under com.miui.analytics/cache, I am running the latest Mi4 MIUI version 7.5.1 Global, which was released a couple of months ago. So, perhaps they changed this behavior? The forum posts at least were older than that release. In any case it's been the best (and cheapest actually) Android phone I've had so far. Now, about spying, it really doesn't make a difference to me who it is that is performing it, Xiaomi, Apple, Google whoever tracks me it is the same for me and I am sure they all do when I use their devices. The vulnerability part is of concern though, however I didn't read about anyone actually testing to see whether a random/unsigned apk can indeed be installed automatically using this process. But hopefully my device is not a fluke and indeed it does not run on the latest OS version, possibly replaced by some more elegant and secure spyware ;)
Note that one of the advantages of Xiaomi is that they give you frequent updates to the latest Android for several years, so if such a vulnerability is found even older devices can be updated.
Violence is the last refuge of the incompetent. Polar Scope Align for iOS
1) Android's system partition is, indeed, write-protected. Users can never write to it. However, there has to be a partition with RW rights for data storage, and that's also where all userland apps reside. This is important because users do, in fact, install software regularly, and also updates are pushed out fairly consistently. Having to remount the drive every time would be way more hassle than it's worth if you wanted it to be actually secure in any fashion.
2) All of this is besides the point because the manufacturer is doing it. They could embed that behavior in the motherboard, in a hardware chip separate from the main CPU, they could put it in the firmware, they can do anything. Your "solution" is for a problem completely orthogonal to the issue at hand.
Since IBM sold its PC and laptop division to Lenovo, I've wondered the same about its products.
In the first sentence of the first linked article it mentions Samsung phones are infected with this backdoor, I'm asking why would that be?
I've got two rooted SAMSUNG galaxy class phones. Neither of them has this app installed. Why would Samsung allow a Rival to install modules on the phones they manufacturer, sell, support, and warranty?
I'm pretty sure most cheap tablets that all kinda looks the same, have same specs, and a bunch of weird apps and processes that behave weirdly are all infected with similar stuff.
Got myself a cheap quadcore small tablet just to mess around a bit... tons of weird apps and processes running on the background, you can't uninstall them, and if you root the device and try to do it forcibly, the tablet factory resets itself. It went into the garbage bin.
If it's so easy for them to install malware or other crap onto your phone, why not take advantage?
Since it's so easy to spoof this, install something else to get rid of this crap once and for all.
cara menggugurkan kandungan
jual obat aborsi
cara melunturkan kandungan
cara menggugurkan kandungan usia 1 bulan
cara menggugurkan kandungan usia 2 bulan
cara menggugurkan kandungan usia 3 bulan
cara menggugurkan kandungan usia 4 bulan
cara menggugurkan kandungan usia 5 bulan
cara menggugurkan kandungan usia 6 bulan
I have an old Dell laptop on which I naively activated CompuTrace and it can't be turned off. The BIOS CompuTrace module places 3 executable files in c:\windows\system32 which phone home. The brilliantly simple fix I found somewhere online was to replace the 3 files with empty ones. (they might be mov ax,4ch; int 21 - I forget).
So, could you roll your own AnalyticsCore.apk? Maybe one that messes with them? Or just does nothing?
- bobby
DT Ignite anyone?
Xiaomi Can Silently Install Any App On Your Android Phone Using A Backdoor
Oh really? On my Android phone, you say?
Please stop blindly copying headlines. Stuff like this makes it look like you think us readers are dumb and can't be interested in a story unless it somehow personally affects us.
systemd is Roko's Basilisk.
If it bothers you invest in a Nexus or another device with an unlockable bootloader and install the open source ROM of your choice. If you wish, you can even fly without the Google Play framework, using F-Droid and/or sideloading your own APKs. It's entirely possible to have a completely open source Android device if you so desire.
That is a strange solutions since it is easy to both root and install a custom ROM on Xiaomis phones.
You can also switch back to the official ROM at any time and still receive official updates.
What's the fucking surprise here?
Good luck preventing Play Store or Play Services from doing the same to 'your' phone.
Yes, it is a bad thing nonetheless.
If I flash the phone with Cyanogen will this still be possible?
google can. but you can actually block that(app updates).
fyi, samsung has same. they only need your imei/id. its in mdm api's and "preconfigured installations" guise. same thing.
likely just the devs making reaching out and touching a device easier on themselves.
just think, the devs can push updates and instant fixes. they can also properly assess a customer complaint to see if it is their device or the customer has a crapload of malware on the device. its all just good business.
not everything is a nefarious conspiracy.
"Consensus" in science is _always_ a political construct.
It comes from a beta team member: "No need to create unnecessary fuss about the issue."
Heh, and how much Kool-Aid did you drink pal?
First rule of holes; When in one, stop digging.
A person would have to be really stupid (or a chinese spy) to buy a chinese smartphone. It goes without saying (although I will say it anyway) that everything made in china is connected to the government and has backdoors for surveillance.
I'm not sure you understand. I want a hardware switch that write-protects the entire phone from anyone installing or writing anything to any of it's memory devices for any reason, working RAM excepted, of course (the OS and existing software need stack and heap space, of course). Of course, as you say, and as I've already pointed out, the whole game is rigged before you even get the phone; the manufacturer can put whatever on it and you'd never know, and the wireless company will put whatever on it, and you have no say in the matter. Really, it's enough to make me strongly consider abandoning cellphones completely and just go back to a plain, dumb, landline phone and an answering machine. Currently I have the cheapest flip-phone I could get, and even that could easily be compromised, wirelessly even, even though I've completely disabled any ability it has to connect it's minimal web browser to the Internet, AT&T I'm sure could push whatever code they want to the thing. At least I can turn it completely off, and remove the battery from it.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
And the point is...
Prudence dictates that ANYONE intending to do any kind of electronic communications with intents of maintaining any sort of security, a thorough education is fully indicated before even shopping for a device.
Otherwise, it is survival of the tech saavy-ist.
Self-importance and self-indulgence is the root of ALL evil.
My phone's rather on the old side; it only has roughly a 2 gigabyte capacity as far as internal storage goes, plus a 4 GB microSDHC card that I've moved parts of a lot of apps to. Despite how few apps I have on this phone, and the fact that portions of many of them have been moved to the microSDHC card, the phone's internal flash storage still has less than 200 megabytes of free space (which frequently causes certain apps to refuse to update, claiming I haven't enough free space to install the update).
Even if I did get hacked with this thing, it wouldn't be able to install anything else to my phone.