Xiaomi Mi 4 Smartphone Pre-loaded with Malware and Custom Android ROM
Once again the very popular and the world's third largest smartphone distributor Xiaomi, which had previously been criticized for secretly stealing users’ information from the device without the user's permissions, has been found spreading malware.

The top selling Android smartphone in China, Xiaomi Mi4 LTE, has been found to be shipped with pre-loaded spyware/adware and a "forked," or not certified, vulnerable version of Android operating system on top of that, according to a San Francisco-based mobile-security company, Bluebox.

Xiaomi, which is also known as Apple of China, provides an affordable and in-budget smartphones with almost all features that an excellent smartphone provides. Just like other Xiaomi devices, Mi4 LTE smartphone seems to attract a large number of customers with more than 25,000 units sold out in just 15 seconds on India’s online retailer Flipkart.

Security Researcher Andrew Blaich of Bluebox firm revealed Thursday that the brand new Chinese Xiaomi Mi4 LTE handset appears to be unsafe to use from the moment you take it out of the box for the first time. After extensive testing, Blaich found two serious security issues in the smartphone:
  • Pre-installed Apps which are flagged as malware
  • Forked, or not certified version of Android operating system which can be a serious security risk for the users

ISSUE 1: PRE-INSTALLED MALWARE APPS
With the help of several top malware and antivirus scanners, researcher discovered that the Mi4 LTE smartphone contains six suspicious apps that were flagged as malware, spyware or adware.

One particularly malicious app, Yt Service, noticed by Bluebox found to be a piece of adware called DarthPusher, comes preloaded in all Xiaomi Mi4 LTE smartphones. But, what makes this app different is that Yt Service disguised its package to look as if it came directly from Google; something an average Android user would expect to find on their device.
"This was an interesting find because, though the app was named Yt Service, the developer package was named com.google.hfapservice (note this app is NOT from Google)," Andrew Blaich wrote on a blog post on Thursday.
Other shady apps comes pre-installed on the device are as follows:
  • PhoneGuardService (com.egame.tonyCore.feicheng) - flagged by the anti-virus solution as a Trojan that could allow malefactors to hijack the phone. The name of this app is enough to fool users.
  • SMSreg - another piece of risky software detected by the anti-virus firm as a Malware.
  • AppStats - classified (org.zxl.appstats) as Riskware.
In total, the security researchers discovered six suspicious apps whose behavior is similar to malware, spyware or adware.

ISSUE 2: CUSTOM/FORKED VERSION OF ANDROID ROM
There are two kinds of Custom Android ROMs – ‘compatible’ and ‘non-compatible’.
  • Compatible Android forks are based on the Android Open Source Project (AOSP), comply with the Android Compatibility Definition Document (CDD); and pass the Compatibility Test Suite (CTS).
  • Non-compatible forks are built on Android Open Source Project (AOSP), but are built to run their own ecosystems.
Android version aboard Mi4 LTE found to be a sort of mixture of Android Kitkat, Jellybean and even earlier Android versions.

Using Trustable, their mobile security assessment tool, researcher discovered that the analyzed Mi4 unit was vulnerable to a host of security flaws recently discovered like the Masterkey, FakeID, and Towelroot (Linux futex).

ISSUES 3: MI 4 VULNERABLE TO SEVERAL FLAWS
Bluebox researchers stated that the Mi4 LTE smartphone was vulnerable to all the big vulnerabilities, except Heartbleed bug.
"Not only was the device vulnerable to every vulnerability we scan for (except for Heartbleed which only was vulnerable in 4.1.1), it was also rooted and had USB debugging mode enabled without proper prompting to talk with a connected computer," Blaich explained.
Several conflicting API build properties were also observed, meaning it was "unclear if [the] build of the software was meant for testing or release to consumers."

Bluebox disclosed the issue to the Xiaomi, which has yet not responded to the security firm's queries, nor has it acknowledged the device's purported security weaknesses.

So, if you are planning to buy a brand new Xiaomi Mi4 LTE smartphone, which is no doubt an attractive phone with all popular smartphone features included in it, you must think twice before get one.

Yesterday, the latest update of uTorrent version was also accused of bundling Bitcoin cryptocurrency mining malware with popular BitTorrent client.

UPDATE:
Xiaomi spokesperson provided the following official statement to 'The Hacker News' via an email:

"We are investigating this matter now. There are glaring inaccuracies in the Bluebox blog post. Official Xiaomi devices do not come rooted and do not have malware pre-installed. Therefore, we are certain the device that Bluebox tested is not using a standard MIUI ROM."

"It is likely that the Mi 4 that Bluebox obtained has been tampered with, because it was purchased from an unofficial channel. We only sell via Mi.com, and a small number of select partners such as operators."

"Furthermore, contrary to what Bluebox has claimed, MIUI is true Android, which means MIUI follows exactly Android CDD, which is Google's definition for Android devices, and it passes all CTS tests, the tool used to make sure a given device conforms to CDD, both in China and international markets."

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.