Various security vulnerabilities have been discovered within Android-based apps and system components installed on Xiaomi smartphones.
According to a report from mobile security firm Oversecured “The vulnerabilities in Xiaomi led to access to arbitrary activities, receivers and services with system privileges, theft of arbitrary files with system privileges, [and] disclosure of phone, settings and Xiaomi account data,”Β
You might be interested: Cyber Security Programs: Your First Step Towards a Secure Future
The 20 flaws affect several programs and elements including –
- Com.miui.gallery Gallery
- Com.xiaomi.mipicks GetApps
- com.miui.videoplayer Mi Video
- Miui Bluetooth (com.xiaomi.bluetooth)
- Comp.android.phone Phone Services
- Com.android.printspooler, the print spooler
- Com.miui.securitycenter security
- Com.miui.securitycore, Security Core Component
- Reset (com.android.settings)
- Xiaomi Cloud (com.miui.cloudservice) System Tracing (com.android.traceur) ShareMe (com.xiaomi.midrop)
Noteworthy vulnerabilities include a shell command injection issue affecting the System Tracing app, as well as issues within the Settings app. These settings app vulnerabilities enable the theft of arbitrary files and the disclosure of sensitive Bluetooth devices, linked Wi-Fi networks, and emergency contact information.
While Phone Services, Print Spooler, Settings, and System Tracing are originally official Android Open Source Project (AOSP) components, Xiaomi has modified them to incorporate additional functionality, thereby introducing these vulnerabilities.
Furthermore, a memory corruption issue has been identified in the GetApps app. This problem stems from an Android module known as LiveEventBus, which, according to Oversecured, was reported to the project maintainers over a year ago and remains unresolved.
The Mi Video app has been found to broadcast Xiaomi account details, such as login and email address, through implicit intents. These details could potentially be intercepted by any other app installed on the device utilizing its own broadcast receivers.
Oversecured reported these issues to Xiaomi five days prior, on April 25, 2024. Users are advised to apply the latest updates to mitigate the risk of potential threats.In conclusion, the discovery of multiple security flaws affecting various apps and system components on Xiaomi Android devices underscores the importance of diligent security measures in the rapidly evolving landscape of mobile technology. While these vulnerabilities pose significant risks to user privacy and data security, prompt action from both users and manufacturers can help mitigate potential threats. By staying vigilant and applying the latest updates and patches provided by Xiaomi, users can safeguard their devices against exploitation and ensure a safer mobile experience. Moreover, the collaboration between security researchers and manufacturers remains crucial in identifying and addressing vulnerabilities to enhance the overall security posture of mobile ecosystems.
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.