IBM discovers MIUI vulnerability affecting Xiaomi devices

The flaw could allow hackers to remotely install malware in devices

A vulnerability in Xiaomi's MIUI platform could allow hackers to break into devices and install malware remotely, IBM researchers have discovered.

The flaw was found in multiple applications within Xiaomi's analytics package, which forms part of its custom-built Android operating system. These applications, including the built-in browser app, could be targeted by a man-in-the-middle attack, which means remote hackers can run code at the system level.

"This attack also involved code injection inside of the update framework. These attack vectors are not new and have been previously disclosed in other platforms," IBM said.

When the program had determined which version of the firmware the device is running, it would then download and execute the Android application package to the file system within the local application sandbox context, where it is loaded by the host application and executed. 

In a blog post, IBM explained the flaw had been remediated by Xiaomi from MIUI Global Stable version 7.2, but users should still update their devices as soon as possible, to eradicate the issue completely.

"Developers should take care to only transact code-related data over a verified, secure transport with certificate pinning such as TLS. Additionally, the code itself should be cryptographically signed and properly verified by the host application prior to execution," Roee Hay, X-Force application security research team leader at IBM said.

"Furthermore, we believe that a discussion should take place as to whether any application should have the ability to execute unsigned code via DexClassLoader, dynamic library injection or any other method on the Android platform."

The company said it would like to commend Xiaomi's security team for responding quickly to the threat, saying that within days of the disclosure, the vulnerability was confirmed and classified and IBM was provided with details of when a fix would be delivered.

Featured Resources

Virtual desktops and apps for dummies

An easy guide to virtual desktop infrastructure, end-user computing, and more

Download now

The total economic impact of optimising and managing your hybrid multi-cloud

Cost savings and business benefits of accelerating the cloud journey

Download now

A buyer’s guide for cloud-based phone solutions

Finding the right phone system for your modern business

Download now

What’s next for the education sector?

A new learning experience

Download now

Recommended

Biden calls for $22 billion in cyber security funding
Security

Biden calls for $22 billion in cyber security funding

18 May 2021
Avast’s Business Hub helps eliminate gaps in cyber defense
Security

Avast’s Business Hub helps eliminate gaps in cyber defense

18 May 2021
NETSCOUT threat intelligence report
Whitepaper

NETSCOUT threat intelligence report

18 May 2021
Defend your organisation from evolving ransomware attacks
ransomware

Defend your organisation from evolving ransomware attacks

18 May 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021