Warning - Millions of Xiaomi Phones Vulnerable, Remote Hacking

Millions of Xiaomi smartphones are vulnerable to a dangerous remote code execution (RCE) vulnerability that could grant attackers complete control of handsets.

The vulnerability, now patched, exists in MIUI – Xiaomi's own implementation of the Android operating system – in versions prior to MIUI Global Stable 7.2 which is based on Android 6.0.

The flaw, discovered by IBM X-Force researcher David Kaplan, potentially allows attackers with privileged network access, such as cafe Wi-Fi, to install malware remotely on the affected devices and fully compromise them.

Researchers found some apps in the analytics package in MIUI, which can be abused to provide malicious ROM updates remotely through a man-in-the-middle attack.

"The vulnerability we discovered allows for a man-in-the-middle attacker to execute arbitrary code as the highly privileged Android 'system' user," researchers say.

Researchers say they discovered vulnerable analytics packages in at least four default apps provided by Xiaomi in its MIUI distributions, one of those apps being the default browser app.

The flaw allows an attacker to inject a JSON response to force an update by replacing the link and MD5 hash with a malicious Android application package containing malicious code, which is executed at the system level.

Since there is not any cryptographic verification of the update code, the analytics package (com.xiaomi.analytics) will replace itself with "the attacker-supplied version via Android's DexClassLoader mechanism."

In order words, the analytics package neither uses HTTPS to query an update server for updates, nor it downloads the package over HTTPS, thus allowing attackers to modify the updates.

The custom ROM ships on devices manufactured by developer Xiaomi – World's third largest smartphone maker with over 70 Million devices shipped just last year alone – and is also ported to over 340 different handsets including Nexus, Samsung, and HTC.

Since the company has patched the flaw and released a over-the-air update, users are strongly recommended to update their firmware to version 7.2 as soon as possible in order to ensure they are not vulnerable to this issue that plagues Millions of Xiaomi devices.

MIUI 8 for Xiaomi Devices Announced Globally

Xiaomi announced its latest Android based OS version, MIUI 8, back in May. The UI update was released as a beta version in China back then. Today, the company has announced the global release of its MIUI 8. The global version of the ROM will consist of all the features found in the Chinese MIUI 8, plus some extra ones.

MIUI 8 is bringing a whole lot of visual changes to the interface while maintaining the same fluid animations and lag-free experience. The company claims they are “Using color in unlimited ways”.

Notification Drawer

The biggest change can be seen in the notification drawer which shifts from a two-pane one to single-pane one. The notification drawer now has a weather panel at the top which changes colors and animations according to the weather data.

Previously, the toggles used to be on the right pane. Now they have been moved to a single one and sit below the weather panel. The toggles can be edited and arranged as well.

Other changes include a color changing status bar with new animations across the whole UI, based on the apps in use. Xiaomi has kept an option for users to switch back to the old two-pane notification drawer, if they prefer the older one’s functionality.

Dual Apps

The most unique and the probably the best feature on the MIUI 8 is Dual Apps. Don’t mistake it for split screen multitasking. It is actually a change which allows users to have two instances of the same app installed simultaneously. For example, you can have two WhatsApp accounts for two different SIMs. This is unique and a great feature, something desired by users for quite a while.

Dual Spaces

Spaces are like having two different phones in one pocket. Each space has its own workspace, with its own separate set of apps, settings, customisations, image gallery. It is sort of like having two accounts on a single phone. One can be used for work, the other one for personal use.

While Android supports multiple accounts since Lollipop, Xiaomi has changed the original feature to make it more useful. Users can set different passcodes for each space and enter either one by simply entering the respective code. No need to switch again and again.

Another use-case for this is that people with tablets, or those who share their phones, can separate stuff from each other without much hassle.

Scrolling Screenshots

MIUI 8 brings another cool new feature, scrolling screenshots. Often, screenshots are limited since you can only show so much on such a small screen. This feature lets you take one long screenshot across a page by combining multiple images. The final image can then be cropped as well.

Quick Ball

It’s a small circular ball on the screen. The ball consists of quick shortcuts, basic functions like home, back and task manager plus shortcuts to apps of the user’s choice.

A similar feature has been available on rooted phones for quite some time but this is probably the first time an OEM has incorporated such a feature and improved it for daily use.

Other Features

Xiaomi has added some other nifty utilities into the mix as well:

• Smart Caller ID and Spam Alert
• Improved Mi Cloud Photo Sync (Saves storage automatically)
• Built-in video editing tools
• Revamped Task manager with music controls
• Math Problem Solver
• Multi-Window management
• Power Saving mode
• Wallpaper Carousal
• New Animations for calls

Release Info

The public beta for the MIUI 8 Global ROM will be released as an OTA update on 11 July while the stable release will hit all devices starting August 16.

Devices eligible for the upgrade are Mi 5, Mi Max, Mi Note, Mi 4i, Mi 4, Mi 3, and Mi 2. The Redmi series devices include Redmi Note 3, Redmi Note 2, Redmi Note Prime, Redmi Note, Redmi 2 Prime, Redmi 2, Redmi 1s and Redmi 1.