Computer science student from the Netherlands, Thijs Broenink, has discovered a massive security flaw in a Xiaomi Mi 4 that allows an attacker to secretly upload malware onto a smartphone.

The flaw in question has to do with the AnalyticsCore.apk app which runs constantly and reappears after it has been deleted. The app talks to a remote server and looks for a file with the name Analytics.apk which, if found it is installed without any sort of validation.

The problem is that without any verification process the potential exists for a malicious attacker to hijack the download and inject malware into the package.

If that wasn’t bad enough, while AnalyticsCore.apk is talking to the server it’s transmitting information such as the IMEI number, MAC address, Model, package name and signature as well as the Nonce.

This is extremely worrying as it would give anybody gathering that information enough of an insight into what sort of handset you’re using to craft an attack specifically for that smartphone.

This is made all the more easier given the fact that this information is transmitted over and HTTP connection rather than a secure HTTPS connection which means it is prone to a man-in-the-middle attack.

Silence from Xiaomi

At time of writing Xiaomi had not responded to comments on its forum about the flaw which appears to have been discovered as far back as December 2015.

We have also contacted Xiaomi for comment on this story but at time of writing the firm had not yet responded.

Until Xiaomi responds Broenink recommends installing a firewall such as one offered by Avast and blocking access to Xiaomi related sites.

Hopefully the manufacturer responds sooner rather than later as preventing updates from the manufacturer might lead to more holes that can be exploited.

[Source – Thijs Broenink]