IBM discovers MIUI vulnerability affecting Xiaomi devices

The flaw could allow hackers to remotely install malware in devices

A vulnerability in Xiaomi's MIUI platform could allow hackers to break into devices and install malware remotely, IBM researchers have discovered.

The flaw was found in multiple applications within Xiaomi's analytics package, which forms part of its custom-built Android operating system. These applications, including the built-in browser app, could be targeted by a man-in-the-middle attack, which means remote hackers can run code at the system level.

"This attack also involved code injection inside of the update framework. These attack vectors are not new and have been previously disclosed in other platforms," IBM said.

When the program had determined which version of the firmware the device is running, it would then download and execute the Android application package to the file system within the local application sandbox context, where it is loaded by the host application and executed. 

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

In a blog post, IBM explained the flaw had been remediated by Xiaomi from MIUI Global Stable version 7.2, but users should still update their devices as soon as possible, to eradicate the issue completely.

"Developers should take care to only transact code-related data over a verified, secure transport with certificate pinning such as TLS. Additionally, the code itself should be cryptographically signed and properly verified by the host application prior to execution," Roee Hay, X-Force application security research team leader at IBM said.

"Furthermore, we believe that a discussion should take place as to whether any application should have the ability to execute unsigned code via DexClassLoader, dynamic library injection or any other method on the Android platform."

The company said it would like to commend Xiaomi's security team for responding quickly to the threat, saying that within days of the disclosure, the vulnerability was confirmed and classified and IBM was provided with details of when a fix would be delivered.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Visit/cloud/33999/ibm-doubles-down-on-red-hat-independence
Cloud

IBM doubles down on Red Hat independence

10 Jul 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/operating-systems/microsoft-windows/354526/memes-and-viking-funerals-the-internet-reacts-to-the
Microsoft Windows

Memes and Viking funerals: The internet reacts to the death of Windows 7

14 Jan 2020
Visit/network-internet/broadband/354530/openreach-offers-free-full-fibre-installation-for-thousands-of
broadband

Openreach offers free full-fibre installation for thousands of homes

14 Jan 2020