Pre-loaded malware found on Xiaomi Mi 4 device, And Custom Android ROM

Xiaomi Mi4 LTE Android smartphone shipped with preloaded spyware/adware and a mixed Android OS which is a big security risk says Bluebox

Chinese tech major Xiaomi has steadily risen to being one of the top sellers of smartphones worldwide at is at present the 3rd major manufacturer of smartphones. Its smartphones are highly popular in countries like India, China etc. Its latest edition called Mi4 LTE smartphone is already seeing top quality sales with over 25,000 units sold out in just 15 seconds in a flash sale on India’s online retailer Flipkart.
However all is not hunkydory with Xiaomi Mi4 LTE smartphone, security researchers at mobile data security company, Bluebox.
Bluebox researchers have found two very critical security problems with Xiaomi Mi4 LTE. One of them is the pre-installed Apps which are loaded on the Mi4 which Bluebox says are being flagged as malware. The other problem is that Mi4 sports a forked Android operating system which can be a huge security risk for the users.

Apps detected as malware found in default configuration

To research the security issues with Xiaomi Mi4, Bluebox researchers ordered a Mi4 directly from China. Firsthand investigations revealed that the unit they bought came pre-installed with a set of risky Apps most of which were flagged as malware by antivirus software.

Yt Service

Yt Service is one such App, Bluebox researchers found to be particularly dangerous. Yt Service, whose purpose is to integrate an adware service called DarthPusher, comes preloaded in all Xiaomi Mi4 LTE smartphones. The unassuming adware which is used to push up ads gives a false impression that it has been developed by Google. Bluebox says that Yt Service developer package being named “com.google.hfapservice.” giving the impression that it is legit App developed by Google.

“In other words, it tricks users into believing it’s a ‘safe’ app vetted by Google,” Bluebox said in a blog post on Thursday.

PhoneGuardService

Another of shady apps flagged by antivirus solutions as a Trojan, the PhoneGuardService, has a name which can fool users. It is packaged as com “egame.tonyCore.feicheng.” In addition to PhoneGuardService, Bluebox also found another App called SMSreg and a total of six other Apps which come preloaded on Xiaomi Mi4 LTE but have behaviour similar to a spyware and adware.

Forked OS version vulnerable to Masterkey, FakeID, and Towelroot (Linux futex)

Bluebox said that they discovered the Android version aboard Mi4 to be a sort of mixture of Android Kitkat, Jellybean and even earlier Android versions. Bluebox researchers said they used, Trustable, their mobile security assessment tool, which discovered that the Mi4 LTE was vulnerable to a host of flaws recently discovered like the Masterkey, FakeID, and Towelroot (Linux futex). Bluebox researchers stated that the Mi45 was vulnerable to all the big flaws except Heartbleed.

“Not only was the device vulnerable to every vulnerability we scan for (except for Heartbleed which only was vulnerable in 4.1.1), it was also rooted and had USB debugging mode enabled without proper prompting to talk with a connected computer,” their blogpost says.

The researchers said that the  “su” application does require a security provider to be used on the device (com.lbe.security.miui.su), so the usage of “su” is restricted in some sense, however it shouldn’t exist in a production released build of Android, as it’s a gateway for apps and could leveraged by cyber criminals to take advantage of the root to take complete control over the device.
To showcase the forked example of Android, they said that the USB debugging icon was taken from Jelly Bean (Android 4.1-4.3.1) while other vulnerabilities uncovered by them were specific to earlier versions of Android and have been fixed in Kitkat.
Bluebox however made it clear that they did not know the device they were testing was a lab prototype of it was intended as a consumer release.

Conflicting build properties
[ro.build.version.release]: [4.4.4]     This corresponds to Android KitKat and API Level 19
[ro.build.version.sdk]: [17] The API level corresponds to Android Jelly Bean 4.2
[ro.build.tags]: [test-keys] This is usually shown on test or debug builds of software, but conflicts with the tags in the device fingerprint
[ro.build.fingerprint]: [Xiaomi/cancro/cancro:4.4.4/KTU84P/KXDCNBH25.0:user/release-keys]

So if you are a buyer or you have already bought the Xiaomi Mi4 LTE, kindly note this facts published by Bluebox and take necessary action to mitigate the problem. To combat this risk, employees and enterprises need to be careful about how they secure data (personal and corporate) on their devices.
One of the possible solutions would be to completely root the device and put your own choice OS aboard it.