Slashdot Mirror

← Back to Stories (view on slashdot.org)

Xiaomi Can Silently Install Any App On Your Android Phone Using A Backdoor (thehackernews.com)

Posted by BeauHD on from the constantly-reappearing dept.

Xiaomi, the Chinese smartphone manufacturer many refer to as the "Apple of China," can silently install any app on your device, according to a Computer Science student and security enthusiast from the Netherlands. Thijs Broenink started investigating a mysterious pre-installed app, dubbed AnalyticsCore.apk, that constantly runs in the background and reappears even if you try and delete it. The Hacker News reports: After asking about the purpose of the AnalyticsCore app on the company's support forum and getting no response, Thijs Broenink reverse engineered the code and found that the app checks for a new update from the company's official server every 24 hours. While making these requests, the app sends device identification information with it, including the phone's IMEI, Model, MAC address, Nonce, Package name as well as signature. If there is an updated app available on the server with the filename "Analytics.apk," it will automatically get downloaded and installed in the background without user interaction. Broenink found that there is no validation at all to check which APK is getting installed to a user's phone, which means there is a way for hackers to exploit this loophole. This also means Xiaomi can remotely and silently install any application on your device just by renaming it to "Analytics.apk" and hosting it on the server. Ironically, the device connects and receives updates over HTTP connection, exposing the whole process to Man-in-the-Middle attacks."

2 of 97 comments (clear)

  1. Re:So, uhhh.. by Anonymous Coward · · Score: 2, Informative

    Yes, it does.
    Should have root then use file explorer that support text editting or other editing app to edit hosts file (/system/etc/hosts).
    Adaway ad blocker for android also works with the hosts file.
    I'm not certain if you need root for this but you can also push and pull the hosts file using adb.

  2. Re:Shocker... by Anonymous Coward · · Score: 3, Informative

    Well, at least one big difference is the encryption... if Google's updated app is served via an encrypted request, it's much more likely that only they can send the updated apk to the target's phone.

    With Xiaomi's implementation, anyone between the target and the server can send the apk of their choice.

    Who should be able to update software? The company your're already relying of for various services, or _anyone_?