New Xiaomi Mi 4 LTE Smartphones Are Sold With Spyware, Say Researchers

The security risks found in China’s smartphones—particularly those from Xiaomi, the country’s largest smartphone maker—may tie to a deeper problem, according to recent findings from researchers at mobile security company BlueBox.

“Android is very popular in China,” says a BlueBox report, noting almost 90 percent of smartphones in China run on Android.

The problem with China’s Android addiction, it adds, is that “few, if any, of these devices run a Google certified version of Android.”

In other words, while 9 in 10 smartphones in China are running Android, potentially none of them are running certified versions of Android—and that’s where problems start to come up.

If you aren’t running a certified version of Android, BlueBox notes, it means you also can’t use Google services like Google Play Store. The devices would also not be required to pass Google’s approved set of tests, and the devices can be shipped with known vulnerabilities that Google has already patched.

Researchers from BlueBox recently traveled to China where they purchased one of Xiaomi’s more popular smartphones, the new Mi 4 LTE, and brought it back to their digital labs for testing.

There were two things they wanted to find out. First they wanted to know whether the phone was a counterfeit, or an actual device from Xiaomi. Second, they wanted to see what types of malware or vulnerabilities they could find on the device.

The first test passed, they say, and “we determined that our Xiaomi Mi4 LTE was, in fact legitimate.”

The second test, however, told another story. The device was loaded with vulnerabilities and potentially harmful software.

Xiaomi did not immediately respond to questions about the allegations sent by email.

Risks to Users

After scanning the smartphone with malware and antivirus scanners, according to BlueBox, “we found six suspicious apps that can be considered malware, spyware or adware ...”

One of the apps was a piece of malware called “Yt Service,” which can, among other things, deliver unwanted ads to the device. It was also disguised to appears like a safe app vetted by Google, with its package named “com.google.hfapservice.”

Among the other infected apps on the Xiaomi phone was an app called “PhoneGuardService” which BlueBox says is “classified as a trojan,” another app classified as riskware called “AppStats,” and another called “SMSreg” which is classified as malware.

As for vulnerabilities, they add, “Not only was the device vulnerable to every vulnerability we scan for (except for Heartbleed which only was vulnerable in 4.1.1), it was also rooted and had USB debugging mode enabled without proper prompting to talk with a connected computer.”

The “USB debugging mode” is important, since the Xiaomi Mi 4 LTE claims it ships with Android 4.4.4, “which should enforce the Android device to manually authorize an unknown connecting computer.”

An Android phone being “rooted” is similar to an iPhone being “jailbroken.” It alters the phone so it can be modified with new code or software that the developers hadn’t intended. It also opens the phone to malware and voids the warranty on devices running legitimate versions of Android.

This isn’t the first time Xiaomi’s smartphones have been found to spy on users.

A user found in July 2014 that Xiaomi’s Redmi Note was trying to connect to an IP address in Beijing, and continued doing so even after he tried erasing and installing a new version of Android. The user, Kenny Li, posted his findings on Hong Kong’s IMA Mobile.

In August 2014, security company F-Secure investigated the claims, and found the Xiaomi phones contained hidden software to steal user data and sending it to a server in China.

Falling Integrity

Researchers at BlueBox say they tried telling Xiaomi about their findings before posting them, yet did not receive a response. Xiaomi did, however, respond after they posted the findings.

Xiaomi claimed they were “certain” the device used in the test had been tampered with. They claimed they do not “pre-install services such as YT Service, PhoneGuardService, AppStats etc.”

They added that Xiaomi “does not sell phones via third-party retailers in China” and said to only purchase the phones through their official stores.

BlueBox responded with two questions—the first being how users can trust the devices if Xiaomi “can’t ensure integrity from manufacturing to purchase.”

“If a manufacture ships a device that can then be modified by the retailer, or someone else in the distribution chain, how can organizations trust the security of the device and reputation of the brand?” they asked.

BlueBox also questioned why Xiaomi had not responded when they alerted the company about its security flaws.

Xiaomi responded again, saying they were “investigating” why they had not received the warnings sent by BlueBox.