Numerous security vulnerabilities have been unveiled in diverse applications and system components within Xiaomi devices operating on the Android platform.
As stated in a report shared with The Hacker News by mobile security firm Oversecured, “The vulnerabilities within Xiaomi devices led to the accessibility of arbitrary activities, receivers, and services with system privileges, unauthorized access to arbitrary files with system privileges, and exposure of phone, settings, and Xiaomi account data.”
The 20 deficiencies impact various applications and components, including:
- Gallery (com.miui.gallery)
- GetApps (com.xiaomi.mipicks)
- Mi Video (com.miui.videoplayer)
- MIUI Bluetooth (com.xiaomi.bluetooth)
- Phone Services (com.android.phone)
- Print Spooler (com.android.printspooler)
- Security (com.miui.securitycenter)
- Security Core Component (com.miui.securitycore)
- Settings (com.android.settings)
- ShareMe (com.xiaomi.midrop)
- System Tracing (com.android.traceur), and
- Xiaomi Cloud (com.miui.cloudservice)
Among the notable flaws is a shell command injection vulnerability affecting the System Tracing application, and vulnerabilities within the Settings application that could facilitate unauthorized access to arbitrary files and divulge information regarding Bluetooth devices, connected Wi-Fi networks, and emergency contacts.
It’s imperative to note that while Phone Services, Print Spooler, Settings, and System Tracing are legitimate components derived from the Android Open Source Project (AOSP), they have been modified by the Chinese handset manufacturer to incorporate additional functionalities, thereby leading to these vulnerabilities.
Furthermore, a memory corruption flaw has been detected in the GetApps application, originating from an Android library known as LiveEventBus, which Oversecured reported to the project maintainers over a year ago, yet remains unpatched.
Additionally, the Mi Video application has been observed employing implicit intents to transmit Xiaomi account information, such as usernames and email addresses, via broadcasts, potentially susceptible to interception by any third-party application installed on the devices utilizing its own broadcast receivers.
Oversecured disclosed that the issues were brought to the attention of Xiaomi within a five-day period from April 25 to April 30, 2024. Users are strongly advised to promptly implement the latest updates to mitigate potential threats.
