IBM discovers MIUI vulnerability affecting Xiaomi devices

The flaw could allow hackers to remotely install malware in devices

Red lock unlocked among several blue locked locks

A vulnerability in Xiaomi's MIUI platform could allow hackers to break into devices and install malware remotely, IBM researchers have discovered.

The flaw was found in multiple applications within Xiaomi's analytics package, which forms part of its custom-built Android operating system. These applications, including the built-in browser app, could be targeted by a man-in-the-middle attack, which means remote hackers can run code at the system level.

"This attack also involved code injection inside of the update framework. These attack vectors are not new and have been previously disclosed in other platforms," IBM said.

When the program had determined which version of the firmware the device is running, it would then download and execute the Android application package to the file system within the local application sandbox context, where it is loaded by the host application and executed. 

In a blog post, IBM explained the flaw had been remediated by Xiaomi from MIUI Global Stable version 7.2, but users should still update their devices as soon as possible, to eradicate the issue completely.

"Developers should take care to only transact code-related data over a verified, secure transport with certificate pinning such as TLS. Additionally, the code itself should be cryptographically signed and properly verified by the host application prior to execution," Roee Hay, X-Force application security research team leader at IBM said.

"Furthermore, we believe that a discussion should take place as to whether any application should have the ability to execute unsigned code via DexClassLoader, dynamic library injection or any other method on the Android platform."

The company said it would like to commend Xiaomi's security team for responding quickly to the threat, saying that within days of the disclosure, the vulnerability was confirmed and classified and IBM was provided with details of when a fix would be delivered.

Featured Resources

Seven steps to connect and empower your frontline workers

How business leaders can improve communication with a secure platform

Free download

Create what’s next

The future of collaboration and productivity

Free Download

Leveraging the cloud without relinquishing control

Your data. Their cloud.

Free download

Re-architecting for nonstop innovation

Unlocking productivity, scalability, and lower costs for cloud natives

Free Download

Recommended

IBM unveils world-first machine learning training method for GDPR-compliance
machine learning

IBM unveils world-first machine learning training method for GDPR-compliance

25 Nov 2021
IBM launches its 'most powerful' quantum processor
high-performance computing (HPC)

IBM launches its 'most powerful' quantum processor

15 Nov 2021
AWS and IBM join forces to reduce data barriers in the energy industry
Software

AWS and IBM join forces to reduce data barriers in the energy industry

15 Nov 2021
IBM pledges to reskill 30 million people globally by 2030
Careers & training

IBM pledges to reskill 30 million people globally by 2030

13 Oct 2021

Most Popular

Looking beyond the obvious: What’s best for multi-cloud?
Sponsored

Looking beyond the obvious: What’s best for multi-cloud?

8 Nov 2021
Nike to take customers into the metaverse with 'NIKELAND'
virtualisation

Nike to take customers into the metaverse with 'NIKELAND'

19 Nov 2021
How to speed up Microsoft's Windows 11
Microsoft Windows

How to speed up Microsoft's Windows 11

9 Nov 2021