Xiaomi can silently in­stall any app on your de­vice

The Standard Journal - - LOCAL -

After ask­ing about the pur­pose of An­a­lyt­ic­sCore app on com­pany’s sup­port fo­rum and get­ting no re­sponse, Thijs Broenink re­verse engi­neered the code and found that the app checks for a new up­date from the com­pany's of­fi­cial server ev­ery 24 hours. Dur­ing these re­quests, the app sends de­vice iden­ti­fi­ca­tion in­for­ma­tion with it, in­clud­ing phone's IMEI, Model, MAC ad­dress, Nonce, Pack­age name as well as sig­na­ture.

If there is an up­dated app avail­able on the server with the file­name "An­a­lyt­ics.apk," it will au­to­mat­i­cally get down­loaded and in­stalled in the back­ground with­out user in­ter­ac­tion. This is a way for hack­ers to ex­ploit this loop­hole.

This also means Xiaomi can re­motely and silently in­stall any ap­pli­ca­tion on your de­vice just by re­nam­ing it to "An­a­lyt­ics.apk" and host­ing it on the server.

So, what if hack­ers or any in­tel- ligence agency fig­ure out how to ex­ploit this back­door to silently push mal­ware onto mil­lions of Xiaomi de­vices within just 24 hours?

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.