Security researchers have found 20 dangerous vulnerabilities affecting various apps and system components within Xiaomi mobile devices. Some of the security flaws reported could allow the theft of arbitrary files, and leak information about connected networks and emergency contacts.
“The vulnerabilities in Xiaomi led to access to arbitrary activities, receivers and services with system privileges, theft of arbitrary files with system privileges, disclosure of phone, settings, and Xiaomi account data, and other vulnerabilities.” Security researchers from OverSecured wrote in their report.
Related: Security Checklist for Your Android Smartphone
Some of the applications and system components were even found to contain more than one security flaw.
Components and applications affected
Researchers were able to scan and find vulnerabilities in components such as:
- Security app (com.miui.securitycenter) – Vulnerability in this application could give an attacker system privileges. This would allow an attacker to get access to arbitrary activities of all applications installed on a user’s device.
- Settings (com.android.settings) – This component had various vulnerabilities. One flaw could leak information about Bluetooth devices, connected Wi-Fi networks, Xiaomi account details, and filtered phone numbers. Another security flaw in this application could give an attacker system permission to read device files.
- GetApps (com.xiaomi.mipicks) – Exploiting a security flaw in this component could lead to memory corruption. This vulnerability comes from the LiveEventBus library and was reported more than a year ago. However, no updates to the library are available as of yet.
- MIUI Bluetooth (com.xiaomi.bluetooth) – A security flaw in this application could enable theft of arbitrary files and also leak bluetooth data.
- Security core component (com.miui.securitycore) – A vulnerability within this component could allow an attacker to change device settings.
- Phone services (com.android.phone) – A flaw could expose telephony data.
- System Tracing (com.android.traceur) – This component was found to contain a shell command injection bug.
Other apps and components impacted include:
- MI Video (com.miui.videoplayer)
- Gallery (com.miui.gallery)
- Print Spooler (com.android.printspooler)
- Xiaomi Cloud (com.miui.cloudservices)
- ShareMe (com.xiaomi.midrop)
The security flaws in Xiaomi mobile devices are a result of various modifications to legitimate Android Open Source Project (AOSP) components. These components include Settings, System Tracing, and Phone Services. Manufacturers usually modify these components to allow for additional functionality.
Most of these vulnerabilities have already been patched and it’s recommended you install the latest security updates available if you use a Xiaomi device.
