In March 2015, the security firm Bluebox discovered pre-installed malware and other security issues with a Xiaomi Mi 4 mobile device.The mobile devices analyzed by the security firm seems to have been tampered with by an unidentified third party.
In August 2014, experts at F-Secure security firm analyzing the new Xiaomi RedMi 1S discovered that it was sending out to a server located in China a lot of user’s data.
Back to the present days, the Dutch student noticed a mysterious pre-installed app, dubbed AnalyticsCore.apk, that runs 24×7 in the background and it is impossible to remove.
The student decided to ask about the presence of the AnalyticsCore app on the company’s support forum without success. At this point, Broenink decided to do a reverse engineering of the code and discovered that found that the app checks for a new update from the Xiaomi server every 24 hours.
The app sends out mobile device identification data including Model, IMEI, MAC address, Nonce, Package name as well as signature.
If the app finds on the server more recent apk with the filename “Analytics.apk,” it will automatically download and install it in the background without user interaction.
How does the AnalyticsCore.apk chack the authenticity of an update file? What happens if an attacker substitute the app with a trojanized version?
“The question is then: does it verify the correctness of the APK, and does it make sure that it is in fact an Analytics app? If it does not, that means Xiaomi can install any app on your device it wants, as long as it’s named Analytics.apk.” Broenink wrote in a blog post.
Broenink discovered that the update process implemented by Xiaomi lack of validation, this means that hackers can exploit it to deliver a malicious software on the smartphone.
This also means that the Xiaomi firm can silently install any application on its devices by renaming it to “Analytics.apk.”
“So it looks like Xiaomi can replace any (signed?) package they want silently on your device within 24 hours. And I’m not sure when this App Installer gets called, but I wonder if it’s possible to place your own Analytics.apk inside the correct dir, and wait for it to get installed,” Broenink said.
The student hasn’t discovered the real purpose of the AnalyticsCore app, it sounds like a sort of backdoor that opens million Xiaomi devices to cyber attack.
Such kind of mechanism could be exploited by intelligence agencies to deliver surveillance software onto millions of Xiaomi devices.
“This sounds like a vulnerability to me anyhow, since they have your IMEI and Device Model, they can install any APK for your device specifically,” Broenink added.
Reading the discussion thread on the company forum, it is possible to verify that several users expressed their concerns about the presence of the mysterious app.
“Don’t know what purpose does it serve. Even after deleting the file it reappears after some time,” wrote one of the users of the forum.
Waiting for a reply from Xiaomi, users can block all connections to Xiaomi related domains using a firewall app.
(Security Affairs – Xiaomi, mobile)