As we all know very well that the Chinese smartphone manufacturer has become one of the largest manufacturers of smartphones, as it offering good built quality with an excellent level of hardware at a very reasonable price. But, recently a security practitioner discovered that Xiaomi can silently install any application on your Android device.
Xiaomi Can Silently Install Any Application On Your Android Device
Xiaomi has become one of the largest manufacturers of smartphones today, as it offering good built quality with an excellent level of hardware at a very reasonable price. In addition, the Chinese smartphone manufacturer uses their mobile phones with Google’s operating system, yes, of course, it’s Android and everyone knows that it is the most popular and widely used OS worldwide.
However, like many other manufacturers of smartphones, Xiaomi uses its own customized interface or UI, better known as MIUI. Xiaomi performs the pre-installation of certain applications simply to increase the device performance. In this case, as everyone knows its interface MIUI, but there are other preinstalled applications in the device of the Chinese manufacturer we don’t really know that what those apps are and what their purposes.
The question actually arises here that, do these apps pose any threat to your security or privacy?
Simply to find out the actual role of these applications that comes pre-installed on Xiaomi smartphones, a Computer Science student as well as a security practitioner and the owner of a Xiaomi Mi4 smartphone, Broenink from Netherland, begin an investigation to know the actual role, behaviour, and purpose of the mysterious pre-installed app, which is known as “AnalyticsCore.apk”, which runs non-stop in the background and even it reappeared later if you delete it.
But, the security enthusiast, Broenink asked about its purposes in the support forums of the company, but the company did not respond. Hence, the student began to study the behavior of the application and realized that the software sent information to the official server of the company periodically.
Even it can also allow the company Xiaomi to install any applications on any Xiaomi device, as the security enthusiast also investigated that if there was an application or update for the “Analytics.apk” app, but he found that it can be downloaded and installed on the device without notifying the user. It is not the first time Xiaomi is related to the pre-installation of adware and spyware. However, now it clearly seems that history could repeat this back door again.
“So it looks like Xiaomi can replace any (signed?) package they want silently on your device within 24 hours. And I’m not sure when this App Installer gets called, but I wonder if it’s possible to place your own Analytics.apk inside the correct dir, and wait for it to get installed,” Thijs Broenink said.
What is really worrying is that Xiaomi can install any applications on our smartphones without notifying us, yes it means silently. Even this can be also exploited by any third parties, as they could use this as a means of access as vulnerability to install malicious applications on our devices.
“This sounds like a vulnerability to me anyhow, since they have your IMEI and Device Model, they can install any APK for your device specifically,” Thijs Broenink said.
As a workaround, Broenink recommends users of Xiaomi to use any firewall app simply to block all connections to related Xiaomi domains and prevent it from performing any attack as the man-in-the-Middle takes advantage of these connections.
