| Filename | Xiaomi Mi 4 Smartphone Pre-loaded with Malware and Custom Android ROM |
| Permission | rw-r--r-- |
| Author | Unknown |
| Date and Time | 3/08/2015 |
| Label | Cyber News |
| Action |
Ethical Hacking Institute in Pune
./Arizona Team
Once again the very popular and the world's third largest smartphone distributor Xiaomi, which had previously been criticized for secretly stealing users’ information from the device without the user's permissions, has been found spreading malware.
The top selling Android smartphone in China, Xiaomi Mi4 LTE, has been found to be shipped with pre-loaded spyware/adware and a "forked," or not certified, vulnerable version of Android operating system on top of that, according to a San Francisco-based mobile-security company, Bluebox.
Xiaomi, which is also known as Apple of China, provides an affordable and in-budget smartphones with almost all features that an excellent smartphone provides. Just like other Xiaomi devices, Mi4 LTE smartphone seems to attract a large number of customers with more than 25,000 units sold out in just 15 seconds on India’s online retailer Flipkart.
Security Researcher Andrew Blaich of Bluebox firm revealed Thursday that the brand new Chinese Xiaomi Mi4 LTE handset appears to be unsafe to use from the moment you take it out of the box for the first time. After extensive testing, Blaich found two serious security issues in the smartphone:
Pre-installed Apps which are flagged as malware
Forked, or not certified version of Android operating system which can be a serious security risk for the users
ISSUE 1: PRE-INSTALLED MALWARE APPS
With the help of several top malware and antivirus scanners, researcher discovered that the Mi4 LTE smartphone contains six suspicious apps that were flagged as malware, spyware or adware.
One particularly malicious app, Yt Service, noticed by Bluebox found to be a piece of adware called DarthPusher, comes preloaded in all Xiaomi Mi4 LTE smartphones. But, what makes this app different is that Yt Service disguised its package to look as if it came directly from Google; something an average Android user would expect to find on their device.
"This was an interesting find because, though the app was named Yt Service, the developer package was named com.google.hfapservice (note this app is NOT from Google)," Andrew Blaich wrote on a blog post on Thursday.
Other shady apps comes pre-installed on the device are as follows:
PhoneGuardService (com.egame.tonyCore.feicheng) - flagged by the anti-virus solution as a Trojan that could allow malefactors to hijack the phone. The name of this app is enough to fool users.
SMSreg - another piece of risky software detected by the anti-virus firm as a Malware.
AppStats - classified (org.zxl.appstats) as Riskware.
In total, the security researchers discovered six suspicious apps whose behavior is similar to malware, spyware or adware.
ISSUE 2: CUSTOM/FORKED VERSION OF ANDROID ROM
There are two kinds of Custom Android ROMs – ‘compatible’ and ‘non-compatible’.
Compatible Android forks are based on the Android Open Source Project (AOSP), comply with the Android Compatibility Definition Document (CDD); and pass the Compatibility Test Suite (CTS).
Non-compatible forks are built on Android Open Source Project (AOSP), but are built to run their own ecosystems.
Android version aboard Mi4 LTE found to be a sort of mixture of Android Kitkat, Jellybean and even earlier Android versions.
Using Trustable, their mobile security assessment tool, researcher discovered that the analyzed Mi4 unit was vulnerable to a host of security flaws recently discovered like the Masterkey, FakeID, and Towelroot (Linux futex).
ISSUES 3: MI 4 VULNERABLE TO SEVERAL FLAWS
Bluebox researchers stated that the Mi4 LTE smartphone was vulnerable to all the big vulnerabilities, except Heartbleed bug.
"Not only was the device vulnerable to every vulnerability we scan for (except for Heartbleed which only was vulnerable in 4.1.1), it was also rooted and had USB debugging mode enabled without proper prompting to talk with a connected computer," Blaich explained.
Several conflicting API build properties were also observed, meaning it was "unclear if [the] build of the software was meant for testing or release to consumers."
Bluebox disclosed the issue to the Xiaomi, which has yet not responded to the security firm's queries, nor has it acknowledged the device's purported security weaknesses.
So, if you are planning to buy a brand new Xiaomi Mi4 LTE smartphone, which is no doubt an attractive phone with all popular smartphone features included in it, you must think twice before get one.
www.arizonainfotech.com
CEHv8 CHFIv8 ECSAv8 ENSA CCNA CCNA SECURITY MCITP RHCE CHECKPOINT ASA FIREWALL VMWARE CLOUD ANDROID IPHONE NETWORKING HARDWARE TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking, IT Security Training Information Security Traning Courses in Pune, ceh certification in pune, Ethical Hacking Course in Pune
./Arizona Team
Once again the very popular and the world's third largest smartphone distributor Xiaomi, which had previously been criticized for secretly stealing users’ information from the device without the user's permissions, has been found spreading malware.
The top selling Android smartphone in China, Xiaomi Mi4 LTE, has been found to be shipped with pre-loaded spyware/adware and a "forked," or not certified, vulnerable version of Android operating system on top of that, according to a San Francisco-based mobile-security company, Bluebox.
Xiaomi, which is also known as Apple of China, provides an affordable and in-budget smartphones with almost all features that an excellent smartphone provides. Just like other Xiaomi devices, Mi4 LTE smartphone seems to attract a large number of customers with more than 25,000 units sold out in just 15 seconds on India’s online retailer Flipkart.
Security Researcher Andrew Blaich of Bluebox firm revealed Thursday that the brand new Chinese Xiaomi Mi4 LTE handset appears to be unsafe to use from the moment you take it out of the box for the first time. After extensive testing, Blaich found two serious security issues in the smartphone:
Pre-installed Apps which are flagged as malware
Forked, or not certified version of Android operating system which can be a serious security risk for the users
ISSUE 1: PRE-INSTALLED MALWARE APPS
With the help of several top malware and antivirus scanners, researcher discovered that the Mi4 LTE smartphone contains six suspicious apps that were flagged as malware, spyware or adware.
One particularly malicious app, Yt Service, noticed by Bluebox found to be a piece of adware called DarthPusher, comes preloaded in all Xiaomi Mi4 LTE smartphones. But, what makes this app different is that Yt Service disguised its package to look as if it came directly from Google; something an average Android user would expect to find on their device.
"This was an interesting find because, though the app was named Yt Service, the developer package was named com.google.hfapservice (note this app is NOT from Google)," Andrew Blaich wrote on a blog post on Thursday.
Other shady apps comes pre-installed on the device are as follows:
PhoneGuardService (com.egame.tonyCore.feicheng) - flagged by the anti-virus solution as a Trojan that could allow malefactors to hijack the phone. The name of this app is enough to fool users.
SMSreg - another piece of risky software detected by the anti-virus firm as a Malware.
AppStats - classified (org.zxl.appstats) as Riskware.
In total, the security researchers discovered six suspicious apps whose behavior is similar to malware, spyware or adware.
ISSUE 2: CUSTOM/FORKED VERSION OF ANDROID ROM
There are two kinds of Custom Android ROMs – ‘compatible’ and ‘non-compatible’.
Compatible Android forks are based on the Android Open Source Project (AOSP), comply with the Android Compatibility Definition Document (CDD); and pass the Compatibility Test Suite (CTS).
Non-compatible forks are built on Android Open Source Project (AOSP), but are built to run their own ecosystems.
Android version aboard Mi4 LTE found to be a sort of mixture of Android Kitkat, Jellybean and even earlier Android versions.
Using Trustable, their mobile security assessment tool, researcher discovered that the analyzed Mi4 unit was vulnerable to a host of security flaws recently discovered like the Masterkey, FakeID, and Towelroot (Linux futex).
ISSUES 3: MI 4 VULNERABLE TO SEVERAL FLAWS
Bluebox researchers stated that the Mi4 LTE smartphone was vulnerable to all the big vulnerabilities, except Heartbleed bug.
"Not only was the device vulnerable to every vulnerability we scan for (except for Heartbleed which only was vulnerable in 4.1.1), it was also rooted and had USB debugging mode enabled without proper prompting to talk with a connected computer," Blaich explained.
Several conflicting API build properties were also observed, meaning it was "unclear if [the] build of the software was meant for testing or release to consumers."
Bluebox disclosed the issue to the Xiaomi, which has yet not responded to the security firm's queries, nor has it acknowledged the device's purported security weaknesses.
So, if you are planning to buy a brand new Xiaomi Mi4 LTE smartphone, which is no doubt an attractive phone with all popular smartphone features included in it, you must think twice before get one.
www.arizonainfotech.com
CEHv8 CHFIv8 ECSAv8 ENSA CCNA CCNA SECURITY MCITP RHCE CHECKPOINT ASA FIREWALL VMWARE CLOUD ANDROID IPHONE NETWORKING HARDWARE TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking, IT Security Training Information Security Traning Courses in Pune, ceh certification in pune, Ethical Hacking Course in Pune