Malware-infested Xiaomi Mi 4 caught in the wild, looks genuine until deep inspection
A few days ago, mobile data security company Bluebox got their hands on a Xiaomi Mi 4 handset to run a few tests on it. See, handsets built and sold in China rarely run a Google-certified version of the Android OS, which excludes them from Google services support and introduces a few vulnerabilities that can, and often are, exploited by malicious folk. And a brand like Xiaomi, being quite popular in its homeland, is a prime target for hackers.
Bluebox's tests did indeed uncover more than a few worrisome articles – an ad pushing process; a mysterious app, named Yt Service, whose developer package was named com.google.hfapservice, though, the app has noting to do with Google; a wide array of vulnerabilities; and conflicting build properties in the Android OS.
Additionally, Bluebox tested the authenticity of the Mi 4 unit it had in its hands by running Xiaomi's own verification app, and using CPU-Z to cross-reference the phone hardware with official specs. The general conclusion was that the device is a legitimate build, which has been tampered with somewhere in the line between manufacturer and retailer.
The phone had all the stickers and labels in all the right places. According to the report, it looks physically like a genuine Mi 4, with some extremely minor build exceptions. The way it fooled CPU-Z and Xiaomi's AntiFake is by using cloned versions of these apps – secretly stored in the hidden .apk folder, the clones would activate whenever the user installs one of said apps on the device, actively replacing it. The false app would then report false data, making the phone appear to be genuine.
The bottom line? Well, if you have your heart set on a Xiaomi smartphone, your best bet is to buy from the company directly. Apparently, the “Apple of China” is now big enough to have near-identical, malware-infested copies of its handsets built and distributed around, so – heads up!
Additionally, Bluebox tested the authenticity of the Mi 4 unit it had in its hands by running Xiaomi's own verification app, and using CPU-Z to cross-reference the phone hardware with official specs. The general conclusion was that the device is a legitimate build, which has been tampered with somewhere in the line between manufacturer and retailer.
Bluebox informed Xiaomi on its findings and, a few days after, the OEM replied and both companies joined efforts in figuring out what's wrong with the unit. After numerous detailed pictures have been sent for analyzing, and the discovery of a hidden .apk folder on the phone's SD card, it became clear that the handset is a fake – a very, very good one at that.
The phone had all the stickers and labels in all the right places. According to the report, it looks physically like a genuine Mi 4, with some extremely minor build exceptions. The way it fooled CPU-Z and Xiaomi's AntiFake is by using cloned versions of these apps – secretly stored in the hidden .apk folder, the clones would activate whenever the user installs one of said apps on the device, actively replacing it. The false app would then report false data, making the phone appear to be genuine.
The bottom line? Well, if you have your heart set on a Xiaomi smartphone, your best bet is to buy from the company directly. Apparently, the “Apple of China” is now big enough to have near-identical, malware-infested copies of its handsets built and distributed around, so – heads up!
We are certain the device that Bluebox tested is not using a standard MIUI ROM, as our factory ROM and OTA ROM builds are never rooted and we don’t pre-install services such as YT Service, PhoneGuardService, AppStats etc. Bluebox could have purchased a phone that has been tampered with, as they bought it via a physical retailer in China. Xiaomi does not sell phones via third-party retailers in China, only via our official online channels and selected carrier stores. - Hugo Barra, VP International
source: Bluebox via Android Headlines
Things that are NOT allowed: