Xiaomi Android Devices

Multiple security vulnerabilities have been disclosed in various applications and system components within Xiaomi devices running Android.

"The vulnerabilities in Xiaomi led to access to arbitrary activities, receivers and services with system privileges, theft of arbitrary files with system privileges, [and] disclosure of phone, settings and Xiaomi account data," mobile security firm Oversecured said in a report shared with The Hacker News.


The 20 shortcomings impact different apps and components like -

  • Gallery (com.miui.gallery)
  • GetApps (com.xiaomi.mipicks)
  • Mi Video (com.miui.videoplayer)
  • MIUI Bluetooth (com.xiaomi.bluetooth)
  • Phone Services (com.android.phone)
  • Print Spooler (com.android.printspooler)
  • Security (com.miui.securitycenter)
  • Security Core Component (com.miui.securitycore)
  • Settings (com.android.settings)
  • ShareMe (com.xiaomi.midrop)
  • System Tracing (com.android.traceur), and
  • Xiaomi Cloud (com.miui.cloudservice)

Some of the notable flaws include a shell command injection bug impacting the System Tracing app and flaws in the Settings app that could enable theft of arbitrary files as well as leak information about Bluetooth devices, connected Wi-Fi networks, and emergency contacts.

It's worth noting that while Phone Services, Print Spooler, Settings, and System Tracing are legitimate components from the Android Open Source Project (AOSP), they have been modified by the Chinese handset maker to incorporate additional functionality, leading to these flaws.


Also discovered is a memory corruption flaw impacting the GetApps app, which, in turn, originates from an Android library called LiveEventBus that Oversecured said was reported to the project maintainers over a year ago and remains unpatched to date.

The Mi Video app has been found to use implicit intents to send Xiaomi account information, such as username and email address via broadcasts, which could be intercepted by any third-party app installed on the devices using its own broadcast receivers.

Oversecured said the issues were reported to Xiaomi within a span of five days from April 25 to April 30, 2023. Users are advised to apply the latest updates to mitigate against potential threats.

(A previous version of the story incorrectly mentioned the disclosure timeline as April 2024. It was disclosed in April 2023.)

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.