Malware-infested Xiaomi Mi 4 caught in the wild, looks genuine until deep inspection

Malware-infested Xiaomi Mi 4 caught in the wild, looks genuine until deep inspection
A few days ago, mobile data security company Bluebox got their hands on a Xiaomi Mi 4 handset to run a few tests on it. See, handsets built and sold in China rarely run a Google-certified version of the Android OS, which excludes them from Google services support and introduces a few vulnerabilities that can, and often are, exploited by malicious folk. And a brand like Xiaomi, being quite popular in its homeland, is a prime target for hackers.

Bluebox's tests did indeed uncover more than a few worrisome articles – an ad pushing process; a mysterious app, named Yt Service, whose developer package was named com.google.hfapservice, though, the app has noting to do with Google; a wide array of vulnerabilities; and conflicting build properties in the Android OS.

Additionally, Bluebox tested the authenticity of the Mi 4 unit it had in its hands by running Xiaomi's own verification app, and using CPU-Z to cross-reference the phone hardware with official specs. The general conclusion was that the device is a legitimate build, which has been tampered with somewhere in the line between manufacturer and retailer.

Bluebox informed Xiaomi on its findings and, a few days after, the OEM replied and both companies joined efforts in figuring out what's wrong with the unit. After numerous detailed pictures have been sent for analyzing, and the discovery of a hidden .apk folder on the phone's SD card, it became clear that the handset is a fake – a very, very good one at that.

The phone had all the stickers and labels in all the right places. According to the report, it looks physically like a genuine Mi 4, with some extremely minor build exceptions. The way it fooled CPU-Z and Xiaomi's AntiFake is by using cloned versions of these apps – secretly stored in the hidden .apk folder, the clones would activate whenever the user installs one of said apps on the device, actively replacing it. The false app would then report false data, making the phone appear to be genuine.

The bottom line? Well, if you have your heart set on a Xiaomi smartphone, your best bet is to buy from the company directly. Apparently, the “Apple of China” is now big enough to have near-identical, malware-infested copies of its handsets built and distributed around, so – heads up!



Related phones

Mi 4
  • Display 5.0" 1080 x 1920 pixels
  • Camera 13 MP / 8 MP front
  • Processor Qualcomm Snapdragon 801, Quad-core, 2500 MHz
  • Storage 64 GB
  • Battery 3080 mAh

FEATURED VIDEO

21 Comments

1. AlikMalix unregistered

I read the article, this maybe a bit offtopic: but doesnt the Chinese government insists on their "modification" or certain additions to the software before it gets into the hands of consumers? This maybe inline with what their gvmnt is doing.. just asking...

6. vincelongman

Posts: 5585; Member since: Feb 10, 2013

Probably But the US do the same anyway The NSA probably have backdoors in anything with an internet connection

8. AlikMalix unregistered

Wouldn't be surprised...

2. RoboticEngi

Posts: 1250; Member since: Dec 03, 2014

Well this is exactly why I dont buy cheap chineese crap.

5. MaryPoopins

Posts: 324; Member since: Jan 15, 2015

This is exactly what? If you didn't already know that fakes were bad news, there's no hope for you.

7. Kruze

Posts: 1285; Member since: Dec 30, 2014

This has nothing to do with buying a "cheap chineese crap", this is to remind you that if you want to buy a Xiaomi or other phones, you must buy from official stores/websites or trusted sellers and retailers. I guess you have bought many clones, that's why you made such an idiotic comment. How sad. What a dumbass.

9. RoboticEngi

Posts: 1250; Member since: Dec 03, 2014

It doesnt matter where you buy it from, its just plain cheap crap. And now with malware from start too....

10. Kruze

Posts: 1285; Member since: Dec 30, 2014

The malware is from the fake Mi 4. Gosh, did you even read the article? If you still don't understand, then you're hopeless. Move on.

12. MaryPoopins

Posts: 324; Member since: Jan 15, 2015

It's sad, I came here from GSM Arena because the comments 'generally' looked more intelligent, but hey, I guess every site needs to fill its racist moron quota !! Let's all ignore Mr Engi

15. RoboticEngi

Posts: 1250; Member since: Dec 03, 2014

Sorry, but exactly where do you see me being racist? I find that extremely offending calling me that! !!!!

19. Neo_Huang

Posts: 1067; Member since: Dec 06, 2013

"cheap chineese crap"

11. dimas

Posts: 3240; Member since: Jul 22, 2014

The article said that the infected phone is fake. This will be the same with cloned samsung and other products. To be sure, just buy on legitimate online or physical store sellers. If it's not available for your country, just accept the situation and don't try buying on the likes of ebay.

13. shahrooz

Posts: 792; Member since: Sep 17, 2013

Oh look, someone didn't read the article and headed to comment section, WHAT A SURPRISE !!!!

3. yoosufmuneer

Posts: 1518; Member since: Feb 14, 2015

Where's hugobarracyanogenmod? The only fan of CM and Xaomi

4. MaryPoopins

Posts: 324; Member since: Jan 15, 2015

I'm just gonna LOL at Lyndon420 from our chat yesterday. He knows what I'm talking about ;)

14. beng970804

Posts: 11; Member since: May 21, 2014

Crap from China company

18. Neo_Huang

Posts: 1067; Member since: Dec 06, 2013

"China companies" sell ceramic pottery and tableware. They have nothing to do with phones.

16. Crispin_Gatieza

Posts: 3061; Member since: Jan 23, 2014

Where's Hugo today? Conspicuously missing, no?

17. kevin91202

Posts: 640; Member since: Jun 08, 2014

Another poorly written PA article by an anonymous fellow. Aimless (incorrect) sprinkling of en dashes, semicolons, and commas usually doesn't work. Run-on sentences don't help either.

20. alcheng

Posts: 26; Member since: Nov 10, 2012

the title of the article does mislead readers into an impression of "Xiaomi phones come with malwares". also, Bluebox didn't disclose where did they get/buy the device from. "Chinese crap"?? what's not made in china nowadays?? and please mind your language.

21. eyeball

Posts: 17; Member since: Mar 14, 2015

Perhaps Hugo Barra and Xiaomi would like to answer how and why the Bluebox app "trustable" is in the Mi. app store when Bluebox niether uploaded,nor authorized Xiaomi to load it. This is still unanswered,but perhaps it was the fake phone manufacturer,or somehow hackers loaded it. I mean Xiaomi should have some smart answer for this,right? So we are supposed to believe that some group was able to replicate the phone so precisely,and modify the os so exactingly as to fool not only Bluebox,but others at Xiaomi at first. Now ttell me,who would be able to spend all that time and money,and I'm sure it was very expensive,to be able to pull this off. We are asked to believe all this simply on Xiaomi's word,with no evidence being offered by them. Where are these android certifications,who performs the certifications on their phones. And why have all thur tech writers not written about these new phones finally having Google services. Have I simply missed all this great news. No,I think not. Because up until a few days ago,everyone believed Xiaomi was using a FORKED VERSION! No my fellow Android users,there is much more to this story yet to be revealed. Stay tuned!

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.