Millions of Xiaomi phones at risk of remotely installed malware

A portion of the 70 million phones shipped by Xiaomi last year are affected by the vulnerability.

xiaomiminote02.jpg

(Image: CNET/CBS Interactive)

Millions of Xiaomi phones are vulnerable to a flaw that could allow an attacker to remotely install malware.

The vulnerability, now fixed, was found in the analytics package in Xiaomi's custom-built Android-based operating system. Security researchers at IBM, who found the flaw, discovered a number of apps in the package that were vulnerable to a remote code execution flaw through a man-in-the-middle attack -- one of which would allow an attacker to run arbitrary code at the system-level.

In other words, an attacker could inject a link to a malicious Android app package, which is extracted and executed at the system level.

Xiaomi, the world's third-largest smartphone maker with more than 70 million devices shipped last year, fixed the flaw in a recent update.

Users should update their devices as soon as possible -- though, updates aren't (as far as we can tell) delivered over an encrypted channel.

This kind of attack vector, however, isn't new, and has been seen in other platforms.

These flaws rely on a lack of encryption and code-checking and verification. Because these updates aren't provided over an encrypted TLS (HTTPS) connection, they can be easily modified. Encryption prevents anyone from modifying the data in transit, and ensure that a man-in-the-middle attack is almost impossible to carry out.

It's not even the first time this kind of attack was discovered this year.

Earlier this year, a similar set of flaws were found in preinstalled software on Windows PCs -- so-called bloatware. This meant millions of laptops and desktops were at risk of having malware injected as it's being downloaded from the internet.

The researchers who found the vulnerabilities said that the "average potted plant" could exploit the flaws.