Xiaomi is often referred to as the 'Apple of China' with its massive sales and growing following in the China, but now a report from Thijs Broenink has surfaced that has Xiaomi the AnalyticsCore.apk that arrives pre-installed on all Xiaomi smartphones, which allows the company to install code onto the smartphone without you noticing, with total access to every single bit and byte of your data.
It gets better, as this backdoor calls back to Xiaomi every 24 hours, sending the user's "IMEI, MAC address, Model, Nonce, Package name and signature". This data gets analyzed, and told which apps to install - as it can overwrite your signed, pre-installed apps with modified versions of them.
The report reads:
It seems like there indeed is no validation on what APK is getting installed. So it looks like Xiaomi can replace any (signed?) package they want silently on your device within 24 hours. And I'm not sure when this AppInstaller gets called, but I wonder if it's possible to place your own Analytics.apk inside the correct dir, and wait for it to get installed (edit: getExternalCacheDir() is inside the app's sandbox, so probably not). But this sounds like a vulnerability to me anyhow, since they have your IMEI and Device Model, they can install any apk for your device specifically.
If you own a Xiaomi device yourself, you might want to block all access to Xiaomi related domains, because by far this isn't the only request to a Xiaomi site. I use AdAway for this. It does require root access, but that should be no problem if you run the International ROM. I don't know if the official rom supports root access out of the box.
It's not just Xiaomi who has access to your smartphone, but hackers have an easier way into your smartphone with this hole that Xiaomi has created, as any hole created can be accessed by anyone - not just its creator. Xiaomi smartphones are connecting and receiving updates over an HTTP connection, which hackers enjoy a free-for-all with your smartphone.
Broenink said: "This sounds like a vulnerability to me anyhow, since they have your IMEI and Device Model, they can install any APK for your device specifically".
What about deleting the APK? One poster on the Xiaomi discussion forum said: "Don't know what purpose does it serve. Even after deleting the file it reappears after some time", while another poster said: "if I go to battery usage app, this app is always at the top. It is eating away at resources I believe".
The Hacker News has talked with a spokesperson from Xiaomi, who said: "AnalyticsCore is a built-in MIUI system component that is used by MIUI components for the purpose of data analysis to help improve user experience, such as MIUI Error Analytics". So Xiaomi isn't commenting on its ability of silently installing backdoors into all of its smartphones, automatically sending data and updating apps on the sly.
Xiaomi brands the backdoor as a "self-upgrade" and user experiencing impovement method, reiterating - without any facts, mind you - that hackers can't exploit their backdoor. The Xiaomi spokesperson said: "As a security measure, MIUI checks the signature of the Analytics.apk app during installation or upgrade to ensure that only the APK with the official and correct signature will be installed".
Xiaomi's spokesperson added: "Any APK without an official signature will fail to install. As AnalyticsCore is key to ensuring better user experience, it supports a self-upgrade feature. Starting from MIUI V7.3 released in April/May, HTTPS was enabled to further secure data transfer, to prevent any man-in-the-middle attacks".
So... what now? This could cause quite the wave for Xiaomi, as it is purportedly enjoying complete root access to your smartphone from a deliberately installed backdoor. Sheesh.