Android is very popular in China; it makes up almost 90 percent of the country’s mobile device ecosystem. However very few, if any, of these devices run a Google certified version of Android.

This has three important implications:

• First, it means the devices are not allowed to use Google services like the Google Play Store.
• Second, the devices are not required to pass Google’s approved set of tests[1] before the device can be released.
• Third, devices can be shipped with known security vulnerabilities (that have been fixed in Google certified versions).

This means that you’re putting your personal, as well as corporate data, at risk (if used as a BYOD) by using such devices.

With the growing adoption rate for Android devices, Xiaomi, which operates out of China, is gaining popularity. On a recent visit to China, Bluebox Labs purchased a popular Xiaomi device, the Mi 4 LTE, and brought it back to our lab to assess the trustability and associated risks of the device.

Fake or Legitimate Device

Mobile attacks follow user adoption. Thus, Xiaomi’s mainstream popularity also means its devices are popular among counterfeiters. As such, our first test was to determine the authenticity of the Xiaomi Mi 4 LTE we had acquired. Determining whether our Mi 4 LTE was counterfeit was key to understanding the rest of our findings.

To determine if the device is a fake, there are a variety of hardware factors one can look at both on the surface of the device, under the battery cover, and in the components used (e.g. the CPU type). Additionally, there is an app called “Mi Identification” that can be run on the device to determine if the device is legitimate or not. Based on this testing, we determined that our Xiaomi Mi4 LTE was, in fact legitimate. This is a definite cause for concern given the number of questionable, if not downright dicey, things we discovered upon further testing.

Pre-Installed Malware

We ran several of the top malware and antivirus scanners on the Mi 4 to determine if any questionable apps came pre-loaded on the device. We used several scanners to compile a comprehensive list as some scanners returned nothing and others flagged different apps. Ultimately, we found six suspicious apps that can be considered malware, spyware or adware; a few were more notable than others.

One particularly nefarious app was Yt Service. Yt Service embeds an adware service called DarthPusher that delivers ads to the device among other things[2]. This was an interesting find because, though the app was named Yt Service, the developer package was named com.google.hfapservice (note this app is NOT from Google). Yt Service is highly suspicious because it disguised its package to look as if it came from Google; something an Android user would expect to find on their device. In other words, it tricks users into believing it’s a “safe” app vetted by Google.

Other risky apps of note included PhoneGuardService (com.egame.tonyCore.feicheng) classified as a Trojan, AppStats classified (org.zxl.appstats) as riskware and SMSreg classified as malware[3]

Trustable

We ran Trustable by Bluebox[4] on the Mi 4 to determine its security posture. We were disappointed to see a score of 2.6, suspicious range.

Not only was the device vulnerable to every vulnerability we scan for (except for Heartbleed which only was vulnerable in 4.1.1), it was also rooted and had USB debugging mode enabled without proper prompting to talk with a connected computer.

The USB debugging is especially troublesome because the device says it ships with Android 4.4.4, which should enforce the Android device to manually authorize an unknown connecting computer.

Additionally, we noticed that the device comes rooted. The “su” application does require a security provider to be used on the device (com.lbe.security.miui.su), so the usage of “su” is restricted in some sense, however it shouldn’t exist in a production released build of Android, as it’s a gateway for apps that can access it to do potentially bad things.

Android Operating System

The Android operating system running on the Xiaomi Mi4 is largely based on the MIUI ROM. MIUI is a forked (not certified) form of Android and does not contain any Google services. The Mi4 has its own app store, the Mi Market, as an alternative to Google Play (Remember: Google services are not available on this device). While the operating system identifies itself as Android KitKat 4.4.4, there are some oddities that make it appear to be a mash-up of both an older version of Android with parts of the current version (4.4.4).

For example, the USB debugging icon is a Jelly Bean – this is normally found on 4.1.X through 4.3.X – while the icon for 4.4.4. is a KitKat bar. Additionally some of the vulnerabilities found would only be present on devices before 4.4.X. Based on the build properties (a set of identifiers that are set when the software on the device is built), we found several conflicts with the API level corresponding to Android 4.2 and whether or not the device is signed with test-keys or release-keys. This means it’s unclear if this build of the software was meant for testing or release to consumers.

As Bluebox Labs has discovered in other device studies, devices that typically ship with test-key identifiers have a worse security posture than those that do not. It’s the nature of the test software to allow testers to do “extra” things that a normal consumer wouldn’t need to.

Conflicting build properties

[ro.build.version.release]: [4.4.4]     This corresponds to Android KitKat and API Level 19

[ro.build.version.sdk]: [17] The API level corresponds to Android Jelly Bean 4.2

[ro.build.tags]: [test-keys] This is usually shown on test or debug builds of software, but conflicts with the tags in the device fingerprint

[ro.build.fingerprint]: [Xiaomi/cancro/cancro:4.4.4/KTU84P/KXDCNBH25.0:user/release-keys]

Miscellaneous Findings:

The external storage on the device contains a hidden directory that holds several Android applications that look to be primarily performance benchmarking apps. Some of these apps have been resigned from the original manufacturers signing key, meaning they could have been tampered with. For example in one app called CPU-Z we identified that the signer of the app as it exists in Google Play is different than the signer of the app found on the external storage of this device.

Also interesting, we noticed that the Bluebox Labs Bluebox Security Scanner is available for download in the Mi Market. However, we’ve never officially released a version to the Mi Market.

Conclusions

Bluebox Labs followed responsible disclosure with Xiaomi. However, the team never heard back from Xiaomi and as is consistent with responsible disclosure protocol, is releasing the report to the general community.

These findings are illustrative of a growing trend, the increasing popularity of forked (non-certified) versions of Android. According to ABI Research, approximately 40 percent of the Android shipments in the 4th quarter of 2014 were of a forked version of Android. These forked versions don’t necessarily follow the vetting process that Google provides for approved versions of devices running Android. This means that data on forked versions is at risk as the trustable nature of the device is called into question.

To combat this risk, employees and enterprises need to be careful about how they secure data (personal and corporate) on their devices. The Mi 4 is only one example of a high-profile manufacturer shipping devices with identified malware – there are many more out there shipping with similar configurations. This is not an issue limited to devices coming from China. Our holiday 2014 tablet review identified several readily available and heavily advertised devices that put user (and corporate) data at risk.

As companies expand their BYOD policy, these low trust devices will make their way into the enterprise, putting not only the personal data of the user at risk, but that of the corporation too. Since it is hard to enforce what types of devices are used in a BYOD environment, it is best for enterprises to assume a zero-trust environment and instead focus on protecting the apps and the data within them rather than the device itself.

To see if your device is at risk, download the free Trustable by Bluebox app. For information on how to remediate this risk, check out the Trustable by Bluebox app guide, or download our free guides to configuring your mobile device, available here:

Android: https://bluebox.com/android-user-security-guide/

iOS: https://bluebox.com/ios-user-security-guide/

[1] http://source.android.com/compatibility/cts-intro.html

[2] http://securelist.com/blog/virus-watch/59356/caution-malware-pre-installed/

[3] http://www.avgthreatlabs.com/virus-and-malware-information/info/android-smsreg/

[4] Trustable by Bluebox produces an overall Trust Score, which indicates how trustable each device is compared to other available Android devices. You can read about how we compute a Trust Score here and give the free Trustable by Bluebox app a try by downloading it from Google Play.

Addendum

Bluebox Labs vetted the authenticity of the device through several methods.

1. We used the Mi team anti fake app: https://jd.mi.com/ and it was verified as being legit
2. We used CPU-Z to check the hardware on device:
   1. http://www.gsmarena.com/xiaomi_mi_4_lte-6866.php
   2. Our device’s CPU: Qualcomm Snapdragon 801 Qualcomm MSM 8974
   3. the hardware matches a legitimate device, not a clone
3. We checked several hardware identifiers to compare against fake and it appears we are legit
   1. http://en.miui.com/thread-42873-1-1.html

While the ROM could have been swapped out and replaced in the channel the fact is the device was purchased from a retailer in the state that it is, which means others could have the same issue if the ROM was replaced. Additionally, we reached out to Xiamoi several times to help us confirm our findings, but had no response from them. Based on our results we have to conclude the device is not a clone and the software is legitimate until more information is presented to us.

Update: March 6, 2015
Adam Ely, Co-Founder & CSO

After our research was published, Xiaomi’s PR team and Hugo Barra, VP International, contacted us.  Below is the relevant part of their response.

“We are certain the device that Bluebox tested is not using a standard MIUI ROM, as our factory ROM and OTA ROM builds are never rooted and we don’t pre-install services such as YT Service, PhoneGuardService, AppStats etc. Bluebox could have purchased a phone that has been tampered with, as they bought it via a physical retailer in China. Xiaomi does not sell phones via third-party retailers in China, only via our official online channels and selected carrier stores.” - Hugo Barra, VP International

This brings up two larger issues:

• If a manufacture ships a device that can then be modified by the retailer, or someone else in the distribution chain, how can organizations trust the security of the device and reputation of the brand? Organizations must treat all devices as untrusted when the manufacture can’t ensure integrity from manufacturing to purchase.
• The security industry’s discussion of responsible disclosure often focuses on the responsibility of the disclosing party, but the receiving party also has responsibility in the process. How the receiving party responds sets the tone for the rest of the process and determines the relationship moving forward. It can be challenging, especially for those who haven’t gone through this process before, but with everyone working together – pre and post public disclosure – the process has proven to work in thousands of instances worldwide.

I posed both questions to Xiaomi and received an initial response from Hugo Barra, VP International.

“- We are investigating internally to find out why Bluebox’s communication was not received by our team members and will act accordingly.

- As with any other brand of smartphones, to ensure they’re purchasing legitimate products, we recommend that consumers only purchase Xiaomi devices through Mi.com and reputable retailers such as official mobile operator stores.”  - Hugo Barra, VP International

If it’s this easy to modify the device in the retail chain, it could also be modified in transit, even when purchased from mi.com[5]. While in our original blog we questioned whether or not the device was modified in the retail chain, the tools supplied by Xiaomi were used to verify the accuracy of the software and device fell far short of providing a correct answer.

This obviously means buying Xiaomi devices from a retail location is not recommended and only purchasing devices directly from mi.com will result in the supply chain integrity of the devices enterprises require.

We’ll continue working with Xiaomi to gather further information and help where we can.

[5] http://www.theverge.com/2013/12/29/5253226/nsa-cia-fbi-laptop-usb-plant-spy

Update: March 7, 2015
Adam Ely, Co-Founder & CSO

Xiaomi assures us that they follow the Android compatibility definition document, CDD, produced by Google and pass the Android compatibility test suite, CTS. However, we have not independently verified these claims and are trying to do so.  Additionally,  we have asked the Xiaomi security team a few questions about our findings, how one of our applications appeared in their app store without us uploading it, and are waiting for responses.  We’ll continue to work with the vendor while we also investigate supply and distribution chain risks in China through our partners in country.

Update: March 8, 2015
Andrew Blaich, Lead Security Analyst

After in-depth testing, Xiaomi has stated that the device is counterfeit and a very good one at that.  It even defeated their verification app initially. The conclusion was arrived after sending about a dozen photographs of a variety of angles and areas of the device that were then reviewed by a team at Xiaomi. They additionally compared several of the other anomalies that Bluebox Labs noted in the original findings report. The level of detail this counterfeit went to look like and act like the real thing was rather extraordinary. It has the same internal structures, battery and labels on the components that are commonly used by people online to determine the authenticity of a device if it’s not powered on[6]. Even the Mi Identification app (AntiFake) that was released by Xiaomi to detect these sorts of situations told us that the device was genuine.

The amount of effort that had to be done to confirm the authenticity of this device goes way beyond what a normal consumer can be expected to do to be assured their purchase is genuine.   The version of the MIUI ROM loaded on this device has had some modifications done to even bypass the authentication checks for the AntiFake app. As Bluebox Labs mentioned in the original findings there is a hidden directory on the sdcard called .apk. It is within this hidden directory that some APKs are sitting like CPU-Z and also a version of the AntiFake app. If a user tries to install an app on their phone that corresponds to one of these packages then the app on the sdcard replaces the real app the user attempts to install. This is one method the ROM is using to bypass the verification app. The process can be worked around by removing the version of the APK on the sdcard for the app you want and then replacing it with the real version and then installing the app you want again. We confirmed this by installing the latest AntiFake app. After we got the correct version of the AntiFake app installed on our device we could validate the validity of the device. The device now reports as not legitimate which corroborates the findings from Xiaomi.

Bluebox Labs has been talking with the security team at Xiaomi. The security team did provide some clarified feedback that we had sought out in our original disclosure on the security posture of the MIUI ROM that Xiaomi ships with its devices. The team ran Trustable by Bluebox on the device and received a score of 6.7, a much better score over what Bluebox found with the non-standard MIUI ROM. Additionally, a lot of the discrepancies we found in the ROM are supposedly resolved in the Mi ROM that ships from the factory.   While we’re going off verification from the security team at Xiaomi, Bluebox Labs is awaiting some additional devices to arrive in order to carry out our own testing.

The lessons learned in this endeavor come down to: responsible disclosure, supply chain, and authentication tools. Firstly, companies receiving responsible disclosure need to be vigilant about checking the accounts they have setup for receiving such alerts and working with researchers appropriately about their findings. Xiaomi has assured us that they have now taken the necessary steps to monitor the account more closely. The Xiaomi security team has also been excellent at providing us access to the information we’ve requested to verify our findings. Secondly, the supply chain in is called into question. Whether or not the device was counterfeit or not the fact remains that consumers are buying devices that have compromised ROMs (either put on legitimate hardware or put on counterfeit hardware) on them that put their data at risk. Finally, the authentication tools used to determine the authenticity of a device need to be drastically improved as suppliers won’t have the time to receive and process dozens of photos per device sold to ascertain the authenticity of their devices or the technical expertise to circumvent the tricks in the software.

[6] http://en.miui.com/thread-42873-1-1.html