A security firm called Oversecured has uncovered critical security flaws in several applications and core components of Xiaomi devices running on the Android operating system. According to the security firm’s report, these vulnerabilities allow attackers to:
- Gain access to sensitive activities and services on the phone with system administration privileges.
- Steal sensitive files on the device.
- Expose private user information such as phone data, settings, and Xiaomi accounts.
The applications and components affected by these vulnerabilities include:
- Gallery
- GetApps (Xiaomi App Store)
- Mi Video (Video Player)
- MIUI Bluetooth
- Phone Services
- Print Spooler
- Security
- Security Core Component
- Settings
- ShareMe (File Sharing)
- System Tracing
- Xiaomi Cloud
It is worth noting that some of these components, such as Phone Services, Print Spooler, Settings, and System Tracing, are legitimate components of the Android Open Source Project (AOSP) but have been modified by Xiaomi to add additional functionality. This modification has introduced security vulnerabilities.
A memory corruption vulnerability was also discovered in the GetApps (Xiaomi App Store) application. This vulnerability is due to an Android library called LiveEventBus. Oversecured has stated that they reported the vulnerability to the maintainers of this library over a year ago, but it has not yet been fixed.
The Mi Video (Video Player) application was found to be sending Xiaomi account information, such as username and email, in an insecure manner. This information can be intercepted by any other application installed on the device.
Oversecured confirmed that they informed Xiaomi of these vulnerabilities over a short period of time from April 25 to 30, 2024.
We recommend that Xiaomi users update their applications and operating systems to the latest available versions to avoid falling victim to these vulnerabilities.
