Theoretically, Xiaomi can install any application on their smartphones through a specially left backdoor.



    Xiaomi can remotely install any application on any smartphone of its own production. This was revealed after a Dutch computer security student noticed a strange pre-installed AnalyticsCore.apk application that runs on a Xiaomi MI4 smartphone 24/7.

    After the question of the origin of AnalyticsCore.apk was ignored on the official technical support forum , Theys Broenink conducted reverse engineering of the applicationand found out that every 24 hours it communicates with the official servers of the company. Each time the application sent data about the IMEI device, MAC address, digital signatures and other information. If there is an update on the server in the form of Analytics.apk, it will be automatically installed on the smartphone without any confirmation from the user.

    Theis believes that this privileged application from Xiaomi independently launches the installation in the background, ignoring the user. From this, he concluded that under the guise of Analytics.apk Xiaomi can slip any package and install it forcibly in the background.

    The Netherlands could not find any information on why Xiaomi needed such a backdoor. The main problem is that the apk communicates with the server using the http protocol and data exchange is subject to Man-In-The-Middle-attacks.

    Another problem is that even after removing AnalyticsCore.apk it appears on the phone after a while, i.e. ordinary means to get rid of it is impossible.

    Until a certain point, the Xiaomi team persistently ignored the discussion of AnalyticsCore.apk on the company's official technical support forum, but still provided comments on this topic:

    AnalyticsCore is an embedded component of the MIUI system and is used by MIUI for data analysis to help the company's developers improve the UI of products.

    At the same time, the developers claim that there is no vulnerability, because Analytics.apk is protected by a digital signature, which is always checked before installing the application update on a smartphone. In their opinion, this is sufficient protection against intruders.

    Any apk under the guise of AnalyticsCore cannot be installed precisely because of the verification of the digital signature, and in the April / May updates from MIUI 7.3 we added support for the HTTPS protocol to improve user security and eliminate the possibility of a man-in-middle attack.

    The company refrained from commenting on the possibility of any application being installed by Xiaomi on the user's device.
    Tags:

    Also popular now: