Xiaomi solves Mi 4 malware dustup: device was counterfeit

Nate Swanner - Mar 9, 2015, 9:05am CDT
Xiaomi solves Mi 4 malware dustup: device was counterfeit

Yesterday, news surfaced that the Xiaomi Mi 4 came preloaded with malware. While we can handle a little bloatware, malware is just — no. Even more subversive than straight-up malware, some of the apps installed were disguised as Google apps. Security company Bluebox, who released the report, even suggested Xiaomi handed their handset off to a third party to get the malware installed, which is about as low as you can get. Now, Xiaomi has their say, and comfortably quashed any thought of malware on their devices.


The takeaway: Bluebox was fooled. According to Xiaomi, the internal device photos Bluebox supplied them don’t match what comes from their factory, and the hardware is slightly different as well. The IMEI number on the device is a known clone, and has been used in Xiaomi scams before.

Finally, the software installed isn’t an official MIUI build. That can only mean one thing: Bluebox tested a counterfeit device.

Xiaomi says they’ve worked closely with Bluebox, and both agree the device tested was an absolute forgery:

As this device is not an original Xiaomi product, and not running an official Xiaomi MIUI software build, Bluebox’s findings are completely inaccurate and not representative of Xiaomi devices. We believe Bluebox jumped to a conclusion too quickly without a fully comprehensive investigation (for example, they did not initially follow our published hardware verification process correctly due to language barrier) and their attempts to contact Xiaomi were inadequate, considering the severity of their accusations.

Xiaomi, to their credit, categorically deny and refute all parts of Bluebox’s findings. As for the claim Xiaomi doesn’t run a certified Android build, Xiaomi says “In addition, contrary to what Bluebox has claimed, MIUI is true Android, which means MIUI follows exactly Android CDD, Google’s definition for compatible Android devices, and it passes all Android CTS tests, the process used by the industry to make sure a given device is fully Android compatible. All Xiaomi devices sold in China and international markets are fully Android compatible.”

As always, be careful where you buy your devices from, and only download apps from official software portals. If you’re interested, Xiaomi’s statement in its entirety is below.

On March 5 2014, Bluebox published an initial report on their website claiming that a Mi 4 bought in China comes pre-installed with malware. Here’s our response after careful investigation:

SUMMARY:

– Xiaomi and Bluebox have confirmed that the device Bluebox obtained is a counterfeit product.
– Bluebox’s reported findings are therefore inaccurate and not representative of Mi phones.
– We always recommend our users buy Mi phones only through our official channels, including Mi.com and select partners such as mobile operators and authorised retailers.
– All Mi phones sold around the world are verified to be fully Android compatible.

DETAILS:

We have concluded our investigation on this topic — the device Bluebox obtained is 100% proven to be a counterfeit product purchased through an unofficial channel on the streets in China. It is therefore not an original Xiaomi product and it is not running official Xiaomi software, as Bluebox has also confirmed in their updated blog post.

1) Hardware: Xiaomi hardware experts have looked at the internal device photos provided to us by Bluebox and confirmed that the physical hardware is markedly different from our original Mi 4.

2) IMEI number: Xiaomi after-sales team has confirmed that the IMEI on the device from Bluebox is a cloned IMEI number which has been previously used on other counterfeit Xiaomi devices in China.

3) Software: Xiaomi MIUI team has confirmed that the software installed on the device from Bluebox is not an official Xiaomi MIUI build as our devices do not come rooted and do not have any malware pre-installed.

As this device is not an original Xiaomi product, and not running an official Xiaomi MIUI software build, Bluebox’s findings are completely inaccurate and not representative of Xiaomi devices. We believe Bluebox jumped to a conclusion too quickly without a fully comprehensive investigation (for example, they did not initially follow our published hardware verification process correctly due to language barrier) and their attempts to contact Xiaomi were inadequate, considering the severity of their accusations.

With the large parallel street market for mobile phones in China, there exists counterfeit products that are almost indistinguishable on the outside. This happens across all brands, affecting both Chinese and foreign smartphone companies selling in China. Furthermore, “entrepreneurial” retailers may add malware and adware to these devices, and even go to the extent of pre-installing modified copies of popular benchmarking software such as CPU-Z and Antutu, which will run “tests” showing the hardware is legitimate.

Xiaomi takes all necessary measures to crack down on the manufacturers of fake devices or anyone who tampers with our software, supported by all levels of law enforcement agencies in China.

We have so far not received meaningful reports of counterfeit Mi phones outside of China. However, to give our international users peace of mind, an English version of our verification app (that certifies the authenticity of Mi hardware) is in the works.

Like all other consumer electronics brands, we always recommend buying Mi phones through authorised channels. Xiaomi only sells via Mi.com, and a small number of Xiaomi trusted partners including mobile operators and select authorised retailers, such as Flipkart in India and others that will be announced in the future.

In addition, contrary to what Bluebox has claimed, MIUI is true Android, which means MIUI follows exactly Android CDD, Google’s definition for compatible Android devices, and it passes all Android CTS tests, the process used by the industry to make sure a given device is fully Android compatible. All Xiaomi devices sold in China and international markets are fully Android compatible.


Must Read Bits & Bytes