Malware-Ridden 'Xiaomi Handset' Found to be a Fake

Written by

Chinese smartphone maker Xiaomi has hit back at claims that one of its handsets contained pre-loaded malware, arguing that the tested device was in fact a counterfeit model.

Security firm Bluebox was left red-faced after it tested the device – which it bought on a “recent trip to China” – believing it was a genuine Xiaomi Mi 4 LTE.

It claimed to have found six pre-installed programs on the phone containing malware, spyware or adware.

These included ‘Yt Service’, which embedded adware dubbed DarthPusher, a trojan known as PhoneGuardService, and malware called SMSreg.

“Not only was the device vulnerable to every vulnerability we scan for (except for Heartbleed which only was vulnerable in 4.1.1), it was also rooted and had USB debugging mode enabled without proper prompting to talk with a connected computer,” Bluebox said.

“The USB debugging is especially troublesome because the device says it ships with Android 4.4.4, which should enforce the Android device to manually authorize an unknown connecting computer.”

The security vendor released its findings late last week after claiming Xiaomi refused to respond to its privately disclosed report.

However, once it was released to the public domain the Chinese smartphone maker released a lengthy statement, picking out “glaring inaccuracies” in the report.

It claimed that legitimate Xiaomi handsets do not come pre-rooted or pre-loaded with malware, and that the underlying MIUI OS is not a forked version of Android but fully certifiable and Android compatible.

A second statement had the following:

“We have concluded our investigation on this topic – the device Bluebox obtained is 100 percent proven to be a counterfeit product purchased through an unofficial channel on the streets in China. It is therefore not an original Xiaomi product and it is not running official Xiaomi software, as Bluebox has also confirmed in their updated blog post.”

Tell-tale signs the device wasn’t authentic included the fact its IMEI number was found on other pirated handsets in China and that the physical hardware inside was “markedly different from our original Mi 4,” it added.

Xiaomi advised users to buy only from official channels – either the Mi.com site or the small number of operators and retailers authorized by the firm.

In a brief updated statement, Bluebox attempted to limit damage by claiming the device was a “very good” copy which “even defeated [Xiaomi’s] verification app initially.”

Although the Beijing-based smartphone maker has been fully vindicated in this case, the publicity won’t have done it any favors ahead of an expected US launch later this year.

What’s hot on Infosecurity Magazine?