Malware-infested Xiaomi Mi 4 caught in the wild, looks genuine until deep inspection

Malware-infested Xiaomi Mi 4 caught in the wild, looks genuine until deep inspection
A few days ago, mobile data security company Bluebox got their hands on a Xiaomi Mi 4 handset to run a few tests on it. See, handsets built and sold in China rarely run a Google-certified version of the Android OS, which excludes them from Google services support and introduces a few vulnerabilities that can, and often are, exploited by malicious folk. And a brand like Xiaomi, being quite popular in its homeland, is a prime target for hackers.

Bluebox's tests did indeed uncover more than a few worrisome articles – an ad pushing process; a mysterious app, named Yt Service, whose developer package was named com.google.hfapservice, though, the app has noting to do with Google; a wide array of vulnerabilities; and conflicting build properties in the Android OS.

Additionally, Bluebox tested the authenticity of the Mi 4 unit it had in its hands by running Xiaomi's own verification app, and using CPU-Z to cross-reference the phone hardware with official specs. The general conclusion was that the device is a legitimate build, which has been tampered with somewhere in the line between manufacturer and retailer.

Bluebox informed Xiaomi on its findings and, a few days after, the OEM replied and both companies joined efforts in figuring out what's wrong with the unit. After numerous detailed pictures have been sent for analyzing, and the discovery of a hidden .apk folder on the phone's SD card, it became clear that the handset is a fake – a very, very good one at that.

The phone had all the stickers and labels in all the right places. According to the report, it looks physically like a genuine Mi 4, with some extremely minor build exceptions. The way it fooled CPU-Z and Xiaomi's AntiFake is by using cloned versions of these apps – secretly stored in the hidden .apk folder, the clones would activate whenever the user installs one of said apps on the device, actively replacing it. The false app would then report false data, making the phone appear to be genuine.

The bottom line? Well, if you have your heart set on a Xiaomi smartphone, your best bet is to buy from the company directly. Apparently, the “Apple of China” is now big enough to have near-identical, malware-infested copies of its handsets built and distributed around, so – heads up!



Related phones

Mi 4
  • Display 5.0 inches
    1920 x 1080 pixels
  • Camera 13 MP (Single camera)
    8 MP front
  • Hardware Qualcomm Snapdragon 801, 3GB RAM
  • Storage 64GB,
  • Battery 3080 mAh
  • OS Android 6.0 Marshmallow
    Xiaomi MI UI

FEATURED VIDEO

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.
FCC OKs Cingular's purchase of AT&T Wireless