Xiaomi Can Silently Install Any App On Your Android Phone Using A Backdoor (thehackernews.com) 97
Xiaomi, the Chinese smartphone manufacturer many refer to as the "Apple of China," can silently install any app on your device, according to a Computer Science student and security enthusiast from the Netherlands. Thijs Broenink started investigating a mysterious pre-installed app, dubbed AnalyticsCore.apk, that constantly runs in the background and reappears even if you try and delete it. The Hacker News reports: After asking about the purpose of the AnalyticsCore app on the company's support forum and getting no response, Thijs Broenink reverse engineered the code and found that the app checks for a new update from the company's official server every 24 hours. While making these requests, the app sends device identification information with it, including the phone's IMEI, Model, MAC address, Nonce, Package name as well as signature. If there is an updated app available on the server with the filename "Analytics.apk," it will automatically get downloaded and installed in the background without user interaction. Broenink found that there is no validation at all to check which APK is getting installed to a user's phone, which means there is a way for hackers to exploit this loophole. This also means Xiaomi can remotely and silently install any application on your device just by renaming it to "Analytics.apk" and hosting it on the server. Ironically, the device connects and receives updates over HTTP connection, exposing the whole process to Man-in-the-Middle attacks."
Not actually an example of irony. (Score:5, Insightful)
Ironically, the device...
I think you mean predictably.
Re: (Score:2)
I would have gone with "stomach churningly" but...
Re: (Score:2)
That's not irony. That's stupidity.
Re: (Score:3, Funny)
Irony is like coppery, but harder.
Re: (Score:1)
Re:Not actually an example of irony. (Score:5, Funny)
Don't worry. It's in a directory called /speedtest.
Re:Not actually an example of irony. (Score:5, Interesting)
exactly! I'm concerned if regular LED bulbs (not the wifi-enabled ones) don't have hidden functionalities, such as sending sound or images over wireless network or becoming bricked on command from China.
So any router, smartphone, security cam etc are even more suspicious.
Sure, "Western" brands also produce in China, but at least - theoretically - they control their products. In case of chinese brand + chinese design + chinese manufacturing option of "bricked on command" may be quite viable war scenario.
Re: (Score:1)
But they aren't out to get you. They want it to monitor Chinese citizens or defectors. Possibly they will be pleasantly surprised if some Japanese politician gets one.
The Chinese government doesn't care about some little citizen in the west, just like the US government doesn't care if Chinese citizens live or die.
If you are European or American you get a Chinese phone and the Chinese will hold on to you information, just to piss off the US government if nothing else.
If you are Chinese you get an American ph
Re: (Score:1)
Lenovo installs malware into its own computer in the same manner... they got blasted and now they removed it... XiaoPhuck installs a backdoor that can install anything else... same phucking stealing method... Other than stealing.. what did they "innovate"?
Re: (Score:2)
Re: (Score:2)
exactly! I'm concerned if regular LED bulbs (not the wifi-enabled ones) don't have hidden functionalities, such as sending sound or images over wireless network or becoming bricked on command from China.
I'm concerned if you're not using encryption on your network. If you are, those devices aren't doing anything of the sort. If you're extra-concerned about it, open them up and see what kind of chips are in there. There is probably nothing in there that is complex enough to do what you describe. It's not that it's impossible, it's more about why bother? Most people are using encrypted networks (I'm doing it and I don't even have neighbors) so there's little to no point.
Re: (Score:2)
> I'm concerned if you're not using encryption on your network. If you are, those devices aren't doing anything of the sort.
I do use it, and I'm not telling about wifi. ... if they made custom stack (not 802.x whatever), even not tcp/ip but completely obfuscated p2p protocol - it they sell billions bulbs, theoretically they could send "delayed command of death" and suddenly large chunk of Europe/USA comes to dark ages. (Or even a special wave shape in AC power supply may be such signal).
But
Also think ab
Re: (Score:2)
change "can silently install" (Score:2)
Shocker... (Score:4, Insightful)
... who would expect something like that from a company in china... also Google can do the *exact* same thing...
Re: (Score:3, Informative)
Well, at least one big difference is the encryption... if Google's updated app is served via an encrypted request, it's much more likely that only they can send the updated apk to the target's phone.
With Xiaomi's implementation, anyone between the target and the server can send the apk of their choice.
Who should be able to update software? The company your're already relying of for various services, or _anyone_?
Re: (Score:2)
That's not the point. The point is that users are giving the keys to the digital equivalent of their house to random third parties, and 99% of them don't even realize they're doing it.
Re: (Score:2)
Re: (Score:1)
But it really is on the honour system.
The last few generations of software have removed the user as the final decision maker.
Imagine we're in a crappy movie where everybody in authority has gone made with power. The user can no longer prevent Microsoft from forcing malware on their machine through windows update. They can no longer prevent their phones from spying on them by Google.
Sure, none of those companies will be stupid enough to take it to the extreme, but if they decide you get something, then you
Re:Shocker... (Score:4, Funny)
... who would expect something like that from a company in china... also Google can do the *exact* same thing...
Apparently Apple can only do this with U2 albums.
Re: (Score:2)
Not to forget that M$ can do exactly the same thing with compulsory windows 10 upgrades and do factually do it, including firmware hacks, hell they can do it via targeted upgrades for windows 7 on and up. Although with windows 7-8 you could skip the upgrades so it takes some time for them to load them up for the NASA, CIA or NATO (need to separate those hacks from those organisation because they keep secrets from each other, you could actually get hacked by all three individually and as a foreigner by your
Shcoker (Score:1)
What a shocker, another Chinese hardware manufacturer with crap security and built in backdoor and/or spyware!
If you don't like these buy your computer hardware from some other country... oh wait, everything is made in China.
Funny (Score:3)
So I can run an free wifi network and man-in-the-middle anyone with a Xaiomi phone who connects to it and install anything I want on their phone.
Re: (Score:2)
yup.
Only question is just how popular are they?
Re: (Score:3)
Check out this article from Feb 2016 The Future Of Xiaomi: China’s Most-Valuable Startup Is Looking Well Beyond The Smartphone [ibtimes.com]
Xiaomi, which was founded just six years ago, sells its smartphones in just nine countries, but China is far and away its biggest market, accounting for the vast majority of the 70 million smartphones it sold in 2015.
Is anyone surprised? (Score:2, Insightful)
And no, using Chinese Contract Manufacturing is NOT the same. Contract Manufacturers don't control the firmware, nor have the signing keys or software distribution abilities.
Re: (Score:1)
Yeah, have you heard anything about what a guy named...something Snowden or other has been releasing to the public for the past few years? You know, about how American tech companies are collaborating in one of the most massive surveillance dragnets in human history?
Yeah but not Apple, right? I mean they have closed source firmware and software that we can't verify, that is put into hardware that is built in China and includes software from various other vendors like radio chipset companies but this is Apple. It's not Microsoft or Google, it's Apple and it comes down to one word: courage. If you're using Apple products and being spied on maybe you're just holding them wrong.
Re: (Score:2)
how naive ...
This is not about racism. Whether you accept it or not, China and Russia have now real motivation to go into some sort of conflict with USA and UE. Just read recent RAND Corporation's "War with China".
Now, China remotely turning off everything they could in USA and UE: from PCs, routers to controls in power plants it reasonable and possible scenarion if war happends. And NSA turning these off in USA simply makes no sense.
As written earlier: I'm not 100% sure that Chinese led bulbs don't have so
Re: (Score:1)
Hey dumb-ass, your Windows 7, 8, 8.1, 10, Apple iPhone, Apple Mac etc. can do exactly the same, and it does, as part of transparent "security" updates. This does not make Xiamoi devices less secure, nor other devices more secure.
I agree that they COULD do stuff like that in league with nefarious forces (and in the case of Windows 10, it seems all but a known fact); but at least in the case of Apple, they have such an intense, longstanding, core, distaste for such activities, that I must insist on credible proof of same.
So, uhhh.. (Score:2)
Re: (Score:2, Informative)
Yes, it does.
Should have root then use file explorer that support text editting or other editing app to edit hosts file (/system/etc/hosts).
Adaway ad blocker for android also works with the hosts file.
I'm not certain if you need root for this but you can also push and pull the hosts file using adb.
Re: (Score:2)
Re: (Score:2)
I'm not certain if you need root for this but you can also push and pull the hosts file using adb.
You do, the root and system partitions aren't accessible by default without a root shell.
Xaomi is easy to root and Analytics is the first a (Score:1)
Xaomi is easy to root and Analytics is the first app I delete
Re: (Score:3)
surely you control firmware. But do you control electronic components? Sure, that there are no "hidden few hundred lines of code" in electronics, that would overlay whatever there is in firmware or software?
Because others can't? (Score:1)
So you are telling me that xiaomi can silently install apps, while google, HTC, Sony, Samsung,... can't? Wake up and follow the white rabbit.
Re: (Score:1)
Pretty sure the issue here is that they do no signing of the binary installed. Sure google can do that through the play store, but you probably don't have to worry about the guy sitting in the corner at Starbucks tricking your phone into installing a root kit and backdoor to your phone.
Any centralized update mech (and there are tons) has this capability. Just imagine what happens when somebody finally hacks wordpress' servers and keys and gets 80% of the wordpress installs out there to update to a nice ne
Just like Samsung, AT&T, Apple, Verizon, LG, S (Score:4)
And anybody and anything that half-way looks at your phone. Why doesn't the CFAA apply to these companies forcibly installing unwanted software on my pocket computer and making it impossible to uninstall that software?
Re: (Score:1)
Bought their Mi band 2 today from eBay. (Score:1)
Why can't you write-protect your goddamned phone!? (Score:2, Insightful)
Of course my question is rhetorical and the answer is obvious: smartphones are just surveillance and data collection devices. Read my new sigline, it says it all.
Re: (Score:1)
Unfortunately you probably lost 90% of your audience at "think."
Re:Why can't you write-protect your goddamned phon (Score:4, Insightful)
2) All of this is besides the point because the manufacturer is doing it. They could embed that behavior in the motherboard, in a hardware chip separate from the main CPU, they could put it in the firmware, they can do anything. Your "solution" is for a problem completely orthogonal to the issue at hand.
Re: (Score:2)
They should call Google.. (Score:5, Funny)
I can understand them doing it (Score:2)
So... (Score:2, Flamebait)
The total lack of package validation or SSL is pretty amateur hour; but the fact that your phone's vendor never really loosens its grip(until the day it gets bored of providing updates and just pretends it never sold the device) isn't something that started with sinister Chinese intrigue. "Google Play Services" can probably afford better software e
Deplorable but common practice... (Score:2)
It might not be totally silent, but eventually if you have one of recent Sammy phones, you get persistent notifications that will not go away until you update "Samsung Apps" (it's own app store). A single press of that button and the app immediately installs without any sort of permission usage description or whatever. Maybe they don't do it over plain http, but they can still do what they want server side.
And about this particular case, I wouldn't jump all my guns, because I doubt the source can prove all
I don't see it on latest Mi4 MIUI version (Score:2)
I don't see the running process or the file that is supposed to be under com.miui.analytics/cache, I am running the latest Mi4 MIUI version 7.5.1 Global, which was released a couple of months ago. So, perhaps they changed this behavior? The forum posts at least were older than that release. In any case it's been the best (and cheapest actually) Android phone I've had so far. Now, about spying, it really doesn't make a difference to me who it is that is performing it, Xiaomi, Apple, Google whoever tracks me
Re: (Score:2)
I haven't seen this app on Samsung.. (Score:2)
In the first sentence of the first linked article it mentions Samsung phones are infected with this backdoor, I'm asking why would that be?
I've got two rooted SAMSUNG galaxy class phones. Neither of them has this app installed. Why would Samsung allow a Rival to install modules on the phones they manufacturer, sell, support, and warranty?
Re: (Score:2)
In the first sentence of the first linked article it mentions Samsung phones are infected with this backdoor
No it doesn't.
Cheap tablets.. (Score:1)
I'm pretty sure most cheap tablets that all kinda looks the same, have same specs, and a bunch of weird apps and processes that behave weirdly are all infected with similar stuff.
Got myself a cheap quadcore small tablet just to mess around a bit... tons of weird apps and processes running on the background, you can't uninstall them, and if you root the device and try to do it forcibly, the tablet factory resets itself. It went into the garbage bin.
Roll your own AnalyticsCore.apk? (Score:1)
I have an old Dell laptop on which I naively activated CompuTrace and it can't be turned off. The BIOS CompuTrace module places 3 executable files in c:\windows\system32 which phone home. The brilliantly simple fix I found somewhere online was to replace the 3 files with empty ones. (they might be mov ax,4ch; int 21 - I forget).
So, could you roll your own AnalyticsCore.apk? Maybe one that messes with them? Or just does nothing?
- bobby
Sounds familiar (Score:1)
Fuck clickbait (Score:2)
Xiaomi Can Silently Install Any App On Your Android Phone Using A Backdoor
Oh really? On my Android phone, you say?
Please stop blindly copying headlines. Stuff like this makes it look like you think us readers are dumb and can't be interested in a story unless it somehow personally affects us.
SubjectsInCommentsAreStupidCauseTheSubjectIsTFA (Score:2)
Good luck preventing Play Store or Play Services from doing the same to 'your' phone.
Yes, it is a bad thing nonetheless.
Re: (Score:1)
If I flash the phone with Cyanogen will this still be possible?
Can someone who knows answer this question? I want to know too.
not evil ... just devs being devs (Score:2)
likely just the devs making reaching out and touching a device easier on themselves.
just think, the devs can push updates and instant fixes. they can also properly assess a customer complaint to see if it is their device or the customer has a crapload of malware on the device. its all just good business.
not everything is a nefarious conspiracy.
Last posting in the forum thread.... (Score:2)
It comes from a beta team member: "No need to create unnecessary fuss about the issue."
Heh, and how much Kool-Aid did you drink pal?
And the point is... (Score:1)
Prudence dictates that ANYONE intending to do any kind of electronic communications with intents of maintaining any sort of security, a thorough education is fully indicated before even shopping for a device.
Otherwise, it is survival of the tech saavy-ist.