Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Android Security Communications Operating Systems Privacy Software News Hardware Technology

Xiaomi Can Silently Install Any App On Your Android Phone Using A Backdoor (thehackernews.com) 97

Xiaomi, the Chinese smartphone manufacturer many refer to as the "Apple of China," can silently install any app on your device, according to a Computer Science student and security enthusiast from the Netherlands. Thijs Broenink started investigating a mysterious pre-installed app, dubbed AnalyticsCore.apk, that constantly runs in the background and reappears even if you try and delete it. The Hacker News reports: After asking about the purpose of the AnalyticsCore app on the company's support forum and getting no response, Thijs Broenink reverse engineered the code and found that the app checks for a new update from the company's official server every 24 hours. While making these requests, the app sends device identification information with it, including the phone's IMEI, Model, MAC address, Nonce, Package name as well as signature. If there is an updated app available on the server with the filename "Analytics.apk," it will automatically get downloaded and installed in the background without user interaction. Broenink found that there is no validation at all to check which APK is getting installed to a user's phone, which means there is a way for hackers to exploit this loophole. This also means Xiaomi can remotely and silently install any application on your device just by renaming it to "Analytics.apk" and hosting it on the server. Ironically, the device connects and receives updates over HTTP connection, exposing the whole process to Man-in-the-Middle attacks."
This discussion has been archived. No new comments can be posted.

Xiaomi Can Silently Install Any App On Your Android Phone Using A Backdoor

Comments Filter:
  • by Narcocide ( 102829 ) on Thursday September 15, 2016 @04:53PM (#52896401) Homepage

    Ironically, the device...

    I think you mean predictably.

    • I would have gone with "stomach churningly" but...

    • by mspohr ( 589790 )

      That's not irony. That's stupidity.

      • Re: (Score:3, Funny)

        by Anonymous Coward

        Irony is like coppery, but harder.

      • Stupidity for phone users. Stupidity for developers to think it would not be discovered.
    • by postbigbang ( 761081 ) on Thursday September 15, 2016 @04:58PM (#52896439)

      Don't worry. It's in a directory called /speedtest.

    • by Kvasio ( 127200 ) on Thursday September 15, 2016 @06:15PM (#52896847)

      exactly! I'm concerned if regular LED bulbs (not the wifi-enabled ones) don't have hidden functionalities, such as sending sound or images over wireless network or becoming bricked on command from China.
      So any router, smartphone, security cam etc are even more suspicious.
      Sure, "Western" brands also produce in China, but at least - theoretically - they control their products. In case of chinese brand + chinese design + chinese manufacturing option of "bricked on command" may be quite viable war scenario.

      • So many Chinese-made IoT ("Internet of Targets") devices do this it's not funny. It seems like very single webcam, Internet-enabled lightbulb, and magic dingus we check on phones home to half a dozen random servers all over China for who-knows-what purpose. It's not malicious, it's just sloppy programming: It's so much easier to manage and maintain the whatsit you've sold to customers all over the world when it's phoning home and checking in all the time. The fact that the capability can be hijacked by a
      • exactly! I'm concerned if regular LED bulbs (not the wifi-enabled ones) don't have hidden functionalities, such as sending sound or images over wireless network or becoming bricked on command from China.

        I'm concerned if you're not using encryption on your network. If you are, those devices aren't doing anything of the sort. If you're extra-concerned about it, open them up and see what kind of chips are in there. There is probably nothing in there that is complex enough to do what you describe. It's not that it's impossible, it's more about why bother? Most people are using encrypted networks (I'm doing it and I don't even have neighbors) so there's little to no point.

        • by Kvasio ( 127200 )

          > I'm concerned if you're not using encryption on your network. If you are, those devices aren't doing anything of the sort.

          I do use it, and I'm not telling about wifi.
          But ... if they made custom stack (not 802.x whatever), even not tcp/ip but completely obfuscated p2p protocol - it they sell billions bulbs, theoretically they could send "delayed command of death" and suddenly large chunk of Europe/USA comes to dark ages. (Or even a special wave shape in AC power supply may be such signal).

          Also think ab

    • No no no, it connects ironically. Then it sends null strings, plays some old vinyl it doesn't actually like, and transfers the file via gopher.
  • to "already has installed"
  • Shocker... (Score:4, Insightful)

    by Anonymous Coward on Thursday September 15, 2016 @04:59PM (#52896449)

    ... who would expect something like that from a company in china... also Google can do the *exact* same thing...

    • by 93 Escort Wagon ( 326346 ) on Thursday September 15, 2016 @08:03PM (#52897395)

      ... who would expect something like that from a company in china... also Google can do the *exact* same thing...

      Apparently Apple can only do this with U2 albums.

    • by rtb61 ( 674572 )

      Not to forget that M$ can do exactly the same thing with compulsory windows 10 upgrades and do factually do it, including firmware hacks, hell they can do it via targeted upgrades for windows 7 on and up. Although with windows 7-8 you could skip the upgrades so it takes some time for them to load them up for the NASA, CIA or NATO (need to separate those hacks from those organisation because they keep secrets from each other, you could actually get hacked by all three individually and as a foreigner by your

  • by Anonymous Coward

    What a shocker, another Chinese hardware manufacturer with crap security and built in backdoor and/or spyware!

    If you don't like these buy your computer hardware from some other country... oh wait, everything is made in China.

  • by viperidaenz ( 2515578 ) on Thursday September 15, 2016 @05:00PM (#52896461)

    So I can run an free wifi network and man-in-the-middle anyone with a Xaiomi phone who connects to it and install anything I want on their phone.

  • by macs4all ( 973270 )
    That's what you get from a wholly-Chinese company.

    And no, using Chinese Contract Manufacturing is NOT the same. Contract Manufacturers don't control the firmware, nor have the signing keys or software distribution abilities.
  • does Android have a hosts file?
    • Re: (Score:2, Informative)

      by Anonymous Coward

      Yes, it does.
      Should have root then use file explorer that support text editting or other editing app to edit hosts file (/system/etc/hosts).
      Adaway ad blocker for android also works with the hosts file.
      I'm not certain if you need root for this but you can also push and pull the hosts file using adb.

      • Great advice. Next question is, what are the actual addresses that should be added? I can't find that information.
      • by Rexdude ( 747457 )

        I'm not certain if you need root for this but you can also push and pull the hosts file using adb.

        You do, the root and system partitions aren't accessible by default without a root shell.

  • Xaomi is easy to root and Analytics is the first app I delete

  • So you are telling me that xiaomi can silently install apps, while google, HTC, Sony, Samsung,... can't? Wake up and follow the white rabbit.

    • Pretty sure the issue here is that they do no signing of the binary installed. Sure google can do that through the play store, but you probably don't have to worry about the guy sitting in the corner at Starbucks tricking your phone into installing a root kit and backdoor to your phone.

      Any centralized update mech (and there are tons) has this capability. Just imagine what happens when somebody finally hacks wordpress' servers and keys and gets 80% of the wordpress installs out there to update to a nice ne

  • by ebunga ( 95613 ) on Thursday September 15, 2016 @05:43PM (#52896713)

    And anybody and anything that half-way looks at your phone. Why doesn't the CFAA apply to these companies forcibly installing unwanted software on my pocket computer and making it impossible to uninstall that software?

  • Wondering what data that their app will be sending back to HQ.
  • Why isn't there user-controlled write-protect on phones to prevent this sort of thing? You don't need to be able to install software on your goddamned phone so often that it needs to be in read/write mode all the time.

    Of course my question is rhetorical and the answer is obvious: smartphones are just surveillance and data collection devices. Read my new sigline, it says it all.
    • Unfortunately you probably lost 90% of your audience at "think."

    • by Nemyst ( 1383049 ) on Thursday September 15, 2016 @07:08PM (#52897115) Homepage
      1) Android's system partition is, indeed, write-protected. Users can never write to it. However, there has to be a partition with RW rights for data storage, and that's also where all userland apps reside. This is important because users do, in fact, install software regularly, and also updates are pushed out fairly consistently. Having to remount the drive every time would be way more hassle than it's worth if you wanted it to be actually secure in any fashion.

      2) All of this is besides the point because the manufacturer is doing it. They could embed that behavior in the motherboard, in a hardware chip separate from the main CPU, they could put it in the firmware, they can do anything. Your "solution" is for a problem completely orthogonal to the issue at hand.
      • I'm not sure you understand. I want a hardware switch that write-protects the entire phone from anyone installing or writing anything to any of it's memory devices for any reason, working RAM excepted, of course (the OS and existing software need stack and heap space, of course). Of course, as you say, and as I've already pointed out, the whole game is rigged before you even get the phone; the manufacturer can put whatever on it and you'd never know, and the wireless company will put whatever on it, and you
  • by subk ( 551165 ) on Thursday September 15, 2016 @05:54PM (#52896767)
    ..And collect that $200,000 bounty
  • I just can't understanding not doing HTTPS/HSTS.
  • So... (Score:2, Flamebait)

    So, if I understand this story correctly, Xiaomi is just doing what those benevolent western tech companies do; except their implementation is absurdly shoddy.

    The total lack of package validation or SSL is pretty amateur hour; but the fact that your phone's vendor never really loosens its grip(until the day it gets bored of providing updates and just pretends it never sold the device) isn't something that started with sinister Chinese intrigue. "Google Play Services" can probably afford better software e
  • It might not be totally silent, but eventually if you have one of recent Sammy phones, you get persistent notifications that will not go away until you update "Samsung Apps" (it's own app store). A single press of that button and the app immediately installs without any sort of permission usage description or whatever. Maybe they don't do it over plain http, but they can still do what they want server side.

    And about this particular case, I wouldn't jump all my guns, because I doubt the source can prove all

  • I don't see the running process or the file that is supposed to be under com.miui.analytics/cache, I am running the latest Mi4 MIUI version 7.5.1 Global, which was released a couple of months ago. So, perhaps they changed this behavior? The forum posts at least were older than that release. In any case it's been the best (and cheapest actually) Android phone I've had so far. Now, about spying, it really doesn't make a difference to me who it is that is performing it, Xiaomi, Apple, Google whoever tracks me

  • In the first sentence of the first linked article it mentions Samsung phones are infected with this backdoor, I'm asking why would that be?

    I've got two rooted SAMSUNG galaxy class phones. Neither of them has this app installed. Why would Samsung allow a Rival to install modules on the phones they manufacturer, sell, support, and warranty?

    • In the first sentence of the first linked article it mentions Samsung phones are infected with this backdoor

      No it doesn't.

  • I'm pretty sure most cheap tablets that all kinda looks the same, have same specs, and a bunch of weird apps and processes that behave weirdly are all infected with similar stuff.

    Got myself a cheap quadcore small tablet just to mess around a bit... tons of weird apps and processes running on the background, you can't uninstall them, and if you root the device and try to do it forcibly, the tablet factory resets itself. It went into the garbage bin.

  • by Anonymous Coward

    I have an old Dell laptop on which I naively activated CompuTrace and it can't be turned off. The BIOS CompuTrace module places 3 executable files in c:\windows\system32 which phone home. The brilliantly simple fix I found somewhere online was to replace the 3 files with empty ones. (they might be mov ax,4ch; int 21 - I forget).

    So, could you roll your own AnalyticsCore.apk? Maybe one that messes with them? Or just does nothing?

    - bobby

  • DT Ignite anyone?
  • Xiaomi Can Silently Install Any App On Your Android Phone Using A Backdoor

    Oh really? On my Android phone, you say?

    Please stop blindly copying headlines. Stuff like this makes it look like you think us readers are dumb and can't be interested in a story unless it somehow personally affects us.

  • What's the fucking surprise here?
    Good luck preventing Play Store or Play Services from doing the same to 'your' phone.
    Yes, it is a bad thing nonetheless.
  • likely just the devs making reaching out and touching a device easier on themselves.

    just think, the devs can push updates and instant fixes. they can also properly assess a customer complaint to see if it is their device or the customer has a crapload of malware on the device. its all just good business.

    not everything is a nefarious conspiracy.

  • It comes from a beta team member: "No need to create unnecessary fuss about the issue."

    Heh, and how much Kool-Aid did you drink pal?

  • And the point is...

    Prudence dictates that ANYONE intending to do any kind of electronic communications with intents of maintaining any sort of security, a thorough education is fully indicated before even shopping for a device.

    Otherwise, it is survival of the tech saavy-ist.

There is no opinion so absurd that some philosopher will not express it. -- Marcus Tullius Cicero, "Ad familiares"

Working...