Original source (on modern site)
Several security experts have recently discovered that Xiaomi Android devices are suffering from a range of security vulnerabilities that affect several apps and system components. These vulnerabilities pose a severe threat to users' data privacy and device security. Xiaomi's users may be vulnerable to data breaches, cyber-attacks, and other security threats that could compromise their personal and sensitive information. The mobile security firm Oversecured disclosed the vulnerabilities, identifying 20 critical flaws impacting a wide range of Xiaomi's applications and system components. These vulnerabilities could potentially give hackers access to sensitive information stored on the devices, including personal data, financial information, and other confidential information. If exploited, these flaws could allow attackers to take over the devices, inject malicious code, or steal data from the device's memory. The security flaws discovered span several Xiaomi apps and components, including Gallery, GetApps, Mi Video, MIUI Bluetooth, Phone Services, Print Spooler, Security, Security Core Component, Settings, ShareMe, System Tracing, and Xiaomi Cloud. Among the most alarming vulnerabilities are a shell command injection bug found in the System Tracing app and flaws in the Settings app that could enable the theft of arbitrary files as well as leak information about Bluetooth devices, connected Wi-Fi networks, and emergency contacts. Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers: If you want to test all these features now with completely free access to the sandbox:
It's worth noting that some of these components, such as Phone Services, Print Spooler, Settings, and System Tracing, were originally part of the Android Open Source Project (AOSP) but were modified by Xiaomi to incorporate additional functionality, leading to these security flaws.
The vulnerabilities could allow attackers to access arbitrary activities, receivers, and services with system privileges, steal arbitrary files with system privileges, and disclose sensitive phone settings and Xiaomi account data. This could potentially lead to a wide range of malicious activities, including data theft, unauthorized access to personal information, and device hijacking. One particularly concerning flaw is a memory corruption issue in the GetApps app, which stems from an Android library called LiveEventBus. Oversecured said this flaw, reported over a year ago and still unpatched, could be exploited to perform malicious actions on the device. Upon discovery, Oversecured reported the issues to Xiaomi within five days, from April 25 to April 30, 2024. Xiaomi has since remediated all the vulnerabilities reported by the Oversecured team, ensuring that no user is exposed to the risks posed by these vulnerabilities. Users are advised to apply the latest updates to their devices to mitigate against potential threats. While Xiaomi has addressed the vulnerabilities identified by Oversecured, the discovery of such a significant number of flaws in a widely used brand's devices reminds us of the ongoing challenges in securing mobile devices against increasingly sophisticated threats. Is Your Network Under Attack? - Read CISO's Guide to Avoiding the Next Breach - Download Free GuideThe Nature of the Vulnerabilities
Integrate ANY.RUN in Your Company for Effective Malware Analysis