Earlier this week, Bluebox, a data security company, released a findings report on their tests of the Xiaomi Mi 4 smartphone. Unfortunately for Xiaomi, their results were far from stellar. Not only did the security firm find malicious malware installed on the device, but some of it was even disguised to appear as Google apps. Even worse, they believe an unknown third party tampered with the Android-powered smartphone. Read on for more details about what they found, as well as Xiaomi’s official response to the report.
Among the malicious installations the security researchers found were trojans that allowed hackers access to the device, as well as adware that was disguised to look like a verified Google application. While Bluebox said they checked the device with Xiaomi’s “Mi Identification” app to make sure it was the real product, in short they found it “vulnerable to every vulnerability we scanned for.” Worst of all, they said signatures in several of the phone’s app didn’t match with the signing key Xiaomi normally used, leading them to believe there may have been third-party tampering.
Bluebox lead security analyst Andrew Blaich wrote that the version of Android running on the Mi 4 was non-certified, appearing to be a combination of KitKat 4.4.4 and an older version of the OS. Many of the security holes and bugs they discovered were said to be directly related to older versions of Android. Blaich added that it wasn’t clear to them if the device they received was a final consumer product, or a model meant for testing.
The security report was posted on Bluebox’s website on Thursday, after they said they received no response from Xiaomi, however the Chinese company was quick to reply on Friday. Hugo Barra, Xiaomi’s VP of International, wrote that they believed what Bluebox tested “is not using a standard MIUI ROM, as our factory ROM and OTA ROM builds are never rooted and we don’t pre-install services such as YT Service, PhoneGuardService, AppStats etc.” The executive points out that Bluebox purchased their Mi 4 from a physical retailer in China, and as a result may have received a tampered device. Xiaomi only sells its phones through its official online store and selected carriers, not via third-party retailers, Barra said.
Bluebox’s Blaich wasn’t totally convinced by the explanation, writing that just because the device they’d purchased had been altered at the retail level, it doesn’t mean the phone couldn’t also be tampered with during transit after ordering from mi.com, where Xiaomi recommends customers purchase their products.
Update: Xiaomi has contacted SlashGear with an official statement, confirming an investigation is underway and suggesting that Bluebox was sold a counterfeit phone. In addition to publishing Xiaomi’s comment in full, below, we have updated our title to reflect the ongoing development of this story.
“There are glaring inaccuracies in the Bluebox blog post. Official Xiaomi devices do not come rooted and do not have malware pre-installed. Our investigation based on information received so far indicates that the phone Bluebox obtained is a counterfeit product purchased through an unofficial channel on the streets in China. We’re gathering more information to fully confirm this and should have a final answer in the next 24 hours.
With the large parallel street market for mobile phones in China, not only is it somewhat common for third parties to tamper with the software sold on smartphones, but there are counterfeit products which are almost indistinguishable from the original products on the outside. This happens across all brands, affecting both Chinese and foreign smartphone companies selling in China.
Furthermore, “entrepreneurial” retailers may add malware and adware to these devices, and even go to the extent of pre-installing modified copies of popular benchmarking software such as CPU-Z and Antutu, which will run “tests” showing the hardware is legitimate — fooling even very discerning buyers.
Xiaomi takes all necessary measures to crack down on the manufacturers of fake devices or anyone who tampers with our software, supported by all levels of law enforcement agencies in China. However, for the safety of our users, Xiaomi and all smartphone brands always recommend buying phones through authorised channels. Xiaomi only sells via Mi.com, and a small number of Xiaomi trusted partners including mobile operators and select authorised retailers, such as Flipkart in India.
In addition, contrary to what Bluebox has claimed, MIUI is true Android, which means MIUI follows exactly Android CDD, Google’s definition for compatible Android devices, and it passes all Android CTS tests, the process used by the industry to make sure a given device is fully Android compatible. All Xiaomi devices sold in China and international markets are fully Android compatible.”