Xiaomi released a new version of MIUI to mitigate a remote code execution (RCE).
The vulnerability is in versions prior to MIUI Global Stable 7.2. The vulnerability is in the MIUI analytics component, which various Android apps use to collect data about the way their application ends up used on the user’s device.
This component has a self-update mechanism that can end up hijacked via a Man-in-the-Middle attack and used to deliver malicious update packages, said researchers at IBM’s Security Intelligence team in a blog post.
Because the analytics module does not verify the downloaded package and blindly executes it, an attacker has the opportunity to execute their code in the context and with the permissions of the highly privileged Android SYSTEM user.
The technical side of the problem relies on the fact the analytics package uses HTTP to query an update server for updates, and then downloads the package, also via HTTP. An attacker can watch for update requests, and use basic spoofing techniques, reply in the name of the server with a fake response.
This response contains links to the APK file the analytics package needs to download and execute. Because the analytics component does not engage in any type of cryptographic verification of the downloaded package, or of the server from where it fetched the file, the attack is not difficult to carry out for an experienced threat actor.
Android, iOS and desktop software applications have been exposed in recent months for not using HTTPS to deliver updates. In Xiaomi’s case, the situation is dangerous because the company is the third largest smartphone manufacturer in the world, behind Samsung and Apple.
The company shipped over 70 million devices in 2015 alone, which could now be in danger of being hijacked if the user fails to update to the most recent OS version.
IBM identified vulnerable analytics packages in at least four default apps provided with Xiaomi MIUI distributions, one of them being the default browser app.
Researchers informed Xiaomi of the issue this past January, and the company quickly provided a new MIUI update that addressed the vulnerability.