Does the Xiaomi Mi4 LTE come preinstalled with malware? (+update)

According mobile security company Bluebox, it appears Xiaomi's Mi4 LTE comes preinstalled with 'shady' apps that leave the phone vulnerable.

|
Reuters/Anindito Mukherjee/File
Three models of China's Xiaomi Mi phones during their launch in New Delhi. By 2015, some smartphones and smartwatches are going to be as cheap as $60 and $30. Chinese company Xiaomi sells a fitness tracker for just $13.

Update: Xiaomi issued the following statement, "As this device is not an original Xiaomi product, and not running an official Xiaomi MIUI software build, Bluebox’s findings are completely inaccurate and not representative of Xiaomi devices. We believe Bluebox jumped to a conclusion too quickly without a fully comprehensive investigation (for example, they did not initially follow our published hardware verification process correctly due to language barrier) and their attempts to contact Xiaomi were inadequate, considering the severity of their accusations."

While it's not hard for an unsophisticated user to contract malware on an Android phone, Chinese phone manufacturer Xiaomi may have made the entire process a little bit easier. The Xiaomi Mi4 LTE, a top-selling smartphone in China, reportedly comes with malware built-in and a shoddy, vulnerable version of Android on top of that.

Bluebox, a San Francisco-based mobile-security company, got its hands on a brand-new Mi4 LTE from China. After extensive testing to ensure that the device was the genuine article (counterfeit smartphones are common in China), the company published its unsettling findings: The Mi4 LTE appears to be unsafe to use from the moment you take it out of the box.

Using several Android antivirus scanners, Bluebox discovered that the phone contained at least six shady apps. Three in particular were pernicious enough to warrant special mention.

The first, Yt Service, enables a piece of adware known as DarthPusher, which fills the device with intrusive ads. Even more troubling is that Yt Service tricks the phone into thinking that it comes directly from Google, which would likely allay the average Android user's fears about the program.

Another piece of risky software, PhoneGuardService, is arguably worse, as it's actually classified a Trojan, malware disguised as a legitimate app that could allow malefactors to hijack the phone.

On the other hand, the last suspicious app, AppStats, is considered "riskware." It's not harmful in and of itself, but acts as a tempting target for purveyors of malware as a gateway into the rest of the phone.

When Bluebox ran its own Trustable app, which evaluates a phone's overall security, the Mi4 LTE was open to all seven Android vulnerabilities that Trustable checks for, except the well-known Heartbleed flaw, which was patched after Android 4.1.1. Jelly Bean.

The vulnerabilities may be there because the smartphone uses Xiaomi's own open-source MIUI build of Android, which has not been certified by Google. Although Google and Android are often synonymous in the West, Android is actually open-source Linux software, and anyone can take the stock Android image and build on it. Google is only one of many companies with an Android ecosystem to call its own. (Due to Google's  issues with the Chinese government, the Google Play store and other Google apps are not common in Chinese phones made for the domestic market.)

The result is that the Mi4 LTE's Android build is an exploitable hodgepodge of two different versions of Android, KitKat and Jelly Bean, and is uniquely vulnerable to security flaws from each. On top of that, the device comes pre-rooted, as though it were a developer version, meaning that third-party software can run more or less unchecked. Infecting a rooted phone is somewhat easier than infecting a device with a certified Android build.

As the phone that Bluebox tested is the real deal, these flaws are most likely present on other brand-new Mi4 LTEs. Xiaomi has not responded to the company's queries, nor has it acknowledged the device's purported security flaws.

If you were planning to import an Mi4 LTE, you may want to reconsider. If you've already done so, your safest bet might be to root the device and install a Google-approved version of Android.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Does the Xiaomi Mi4 LTE come preinstalled with malware? (+update)
Read this article in
https://www.csmonitor.com/Technology/2015/0311/Does-the-Xiaomi-Mi4-LTE-come-preinstalled-with-malware-update
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe