Malware, Anomalies Discovered in Xiaomi Phone - Bluebox Security

By CIOReview | Monday, March 9, 2015

FREMONT, CA: Xiaomi smartphone which is soon expected to hit the U.S. market is in hot waters as cautions of in-built malware and various anomalies surface, reports Ruth Reader from VentureBeat. Bluebox Security, a mobile security company, has discovered adware as well as discrepancy in Android version for the USB management in the Xiaomi Mi 4 LTE. The device is also vulnerable to the many tests conducted by Bluebox in its lab. Xiaomi however maintains that they cannot own up for the shortcomings in a device purchased from a third party – in this case, a retail store.

Risky Apps
Bluebox purchased the Xiaomi Mi 4 LTE mobile device from a retail outlet – in China – for testing purpose. The tests reveal that there is presence of an app called Yt Service which embeds an adware service called DarthPusher which makes the mobile device vulnerable for exploitation. The other risky app, PhoneGuardService, has been classified as Trojan; AppStats and SMSreg are riskware and malware respectively.

The USB issue
The Xiaomi Mi 4 LTE under test revealed that it was rooted and had USB debugging mode enabled with no effective prompt mechanism in place to communicate with a connected computer. The conflicting build properties with regard to the Android Kitkat 4.4.4 and the older Android versions were also perplexing.  

As Bluebox communicated its findings to Xiaomi, the company replied saying: “We are certain the device that Bluebox tested is not using a standard MIUI ROM, as our factory ROM and OTA ROM builds are never rooted and we don’t pre-install services such as YT Service, PhoneGuardService, AppStats etc. Bluebox could have purchased a phone that has been tampered with, as they bought it via a physical retailer in China. Xiaomi does not sell phones via third-party retailers in China, only via our official online channels and selected carrier stores,” quoted Hugo Barra, VP International, Xiaomi.

While the correspondence between the mobile security company and the mobile manufacturing company is still on, it would be interesting to see how these security challenges are addressed and what measures Xiaomi takes to win the confidence of countries and consumers.