Xiaomi Mi 4 flagship riddled with malware and uncertified Android version, or is it? [Update]
Updated at 18:00 IST: Bluebox and Xiaomi are now confirming that the handset the security firm tested was a counterfeit product purchased through an unofficial channel. You can read Xiaomi's full statements below.
Xiaomi’s Mi 4 is one of the best smartphones you cannot purchase so easily -- but it might be for the best, it seems. Don’t get me wrong: The Mi 4 packs in top-of-the-line specifications, the latest Android-based operating system, and is incredibly cheap, but if data security firm Bluebox's latest report is to be believed, it also comes with malware and a host of other issues. The handset seems to have been tampered with by an unidentified third party, however. We’ll have more details on this later today.
The security firm has flagged the handset by the Chinese smartphone manufacturer for a number of reasons including issues like pre-installed malware and an adware that disguises itself as a verified Google application, and vulnerability to several flaws. Furthermore, the operating system running on the Xiaomi’s smartphone is a non-certified version of Android. “[Xiaomi Mi 4’s] vulnerable to every vulnerability we scanned for”, wrote Andrew Blaich, lead security expert at Bluebox.
Blaich noted that the Mi 4 is running a non-certified version of Android that hosts a number of vulnerabilities that date back to old Android software, leading the firm to believe that Mi 4’s MIUI ROM is a mashup between KitKat, and an older version of Android. For the stated reasons, the firm concludes that the smartphone might not be ready for "consumer use".
But that’s not all the issues Bluebox could find in the phone. The smartphone apparently comes with a number of apps that were flagged as malware, spyware or adware by Bluebox. One such app was Yt Service, which as the security firm notes, is a piece of adware. The firm notes that this app comes pre-installed in all Mi 4 LTE capable variants. "This was an interesting find because, though the app was named Yt Service, the developer package was named com.google.hfapservice (note this app is NOT from Google)", Blaich wrote on a blog post.
The smartphone also comes pre-installed with PhoneGuardService, which Bluebox marks as a Trojan. It allows malefactors to hijack the device. SMSreg and AppStats, two other apps have been flagged as risky software.
The handset that Bluebox tested was also prone to several vulnerabilities. "Not only was the device vulnerable to every vulnerability we scan for (except for Heartbleed which only was vulnerable in 4.1.1), it was also rooted and had USB debugging mode enabled without proper prompting to talk with a connected computer", Blaich explained.
Xiaomi reached out to Bluebox, and noted that the handset the security firm had tested seems to have been tampered with as several apps held signatures that differed from the manufacturer’s signing key. Furthermore, the firm also pointed out that it doesn’t sell rooted phones and several apps mentioned are not placed in its handsets at all.
“We are certain the device that Bluebox tested is not using a standard MIUI ROM, as our factory ROM and OTA ROM builds are never rooted and we don’t pre-install services such as YT Service, PhoneGuardService, AppStats etc. Bluebox could have purchased a phone that has been tampered with, as they bought it via a physical retailer in China. Xiaomi does not sell phones via third-party retailers in China, only via our official online channels and selected carrier stores.”, Hugo Barra, VP International at Xiaomi told the firm.
Bluebox isn’t satisfied with the Xiaomi’s response and notes several additional flaws in the company’s smartphone. “If it’s this easy to modify the device in the retail chain, it could also be modified in transit, even when purchased from mi.com,” he wrote while also referencing a recent article from Der Spiegel which shows off a modern form of wiretapping wherein the U.S. intelligence officials are able to intercept computers before they reach their destination and load them with malware.
This isn’t the first time a Chinese smartphone has been flagged for inconsistency and serving malware. Xiaomi’s smartphone itself has been previously accused of sending private information to Chinese servers. We’ve also seen several cases where a Chinese or Indian smartphone has been tampered with during the transit or at the factory and placed with adware. More on this as it develops, but for now we stress that this is only one questionable report.
Xiaomi plans to debut in the U.S. market by the end of this year.
Update: Xiaomi reached out to us, and provided this statement.
We have concluded our investigation on this topic -- the device Bluebox obtained is 100 percent proven to be a counterfeit product purchased through an unofficial channel on the streets in China. It is therefore not an original Xiaomi product and it is not running official Xiaomi software, as Bluebox has also confirmed in their updated blog post.
1. Hardware: Xiaomi hardware experts have looked at the internal device photos provided to us by Bluebox and confirmed that the physical hardware is markedly different from our original Mi 4.
2. IMEI number: Xiaomi after-sales team has confirmed that the IMEI on the device from Bluebox is a cloned IMEI number which has been previously used on other counterfeit Xiaomi devices in China.
3. Software: Xiaomi MIUI team has confirmed that the software installed on the device from Bluebox is not an official Xiaomi MIUI build as our devices do not come rooted and do not have any malware pre-installed.
As this device is not an original Xiaomi product, and not running an official Xiaomi MIUI software build, Bluebox’s findings are completely inaccurate and not representative of Xiaomi devices. We believe Bluebox jumped to a conclusion too quickly without a fully comprehensive investigation (for example, they did not initially follow our published hardware verification process correctly due to language barrier) and their attempts to contact Xiaomi were inadequate, considering the severity of their accusations.
With the large parallel street market for mobile phones in China, there exists counterfeit products that are almost indistinguishable on the outside. This happens across all brands, affecting both Chinese and foreign smartphone companies selling in China. Furthermore, 'entrepreneurial' retailers may add malware and adware to these devices, and even go to the extent of pre-installing modified copies of popular benchmarking software such as CPU-Z and Antutu, which will run 'tests' showing the hardware is legitimate.
Xiaomi takes all necessary measures to crack down on the manufacturers of fake devices or anyone who tampers with our software, supported by all levels of law enforcement agencies in China.
We have so far not received meaningful reports of counterfeit Mi phones outside of China. However, to give our international users peace of mind, an English version of our verification app (that certifies the authenticity of Mi hardware) is in the works.
Like all other consumer electronics brands, we always recommend buying Mi phones through authorized channels. Xiaomi only sells via Mi.com, and a small number of Xiaomi trusted partners including mobile operators and select authorized retailers, such as Flipkart in India and others that will be announced in the future.
In addition, contrary to what Bluebox has claimed, MIUI is true Android, which means MIUI follows exactly Android CDD, Google's definition for compatible Android devices, and it passes all Android CTS tests, the process used by the industry to make sure a given device is fully Android compatible. All Xiaomi devices sold in China and international markets are fully Android compatible.