Xiaomi Android Devices Hit by Multiple Flaws Across Apps and System Components

2 weeks ago AndyC

May 06, 2024NewsroomAndroid / Data Security

Multiple security vulnerabilities have been disclosed in various applications and system components within Xiaomi devices running Android.

Xiaomi Android Devices Hit by Multiple Flaws Across Apps and System Components

May 06, 2024NewsroomAndroid / Data Security

Xiaomi Android Devices Hit by Multiple Flaws Across Apps and System Components

Multiple security vulnerabilities have been disclosed in various applications and system components within Xiaomi devices running Android.

“The vulnerabilities in Xiaomi led to access to arbitrary activities, receivers and services with system privileges, theft of arbitrary files with system privileges, [and] disclosure of phone, settings and Xiaomi account data,” mobile security firm Oversecured said in a report shared with The Hacker News.

Cybersecurity

The 20 shortcomings impact different apps and components like –

  • Gallery (com.miui.gallery)
  • GetApps (com.xiaomi.mipicks)
  • Mi Video (com.miui.videoplayer)
  • MIUI Bluetooth (com.xiaomi.bluetooth)
  • Phone Services (com.android.phone)
  • Print Spooler (com.android.printspooler)
  • Security (com.miui.securitycenter)
  • Security Core Component (com.miui.securitycore)
  • Settings (com.android.settings)
  • ShareMe (com.xiaomi.midrop)
  • System Tracing (com.android.traceur), and
  • Xiaomi Cloud (com.miui.cloudservice)

Some of the notable flaws include a shell command injection bug impacting the System Tracing app and flaws in the Settings app that could enable theft of arbitrary files as well as leak information about Bluetooth devices, connected Wi-Fi networks, and emergency contacts.

It’s worth noting that while Phone Services, Print Spooler, Settings, and System Tracing are legitimate components from the Android Open Source Project (AOSP), they have been modified by the Chinese handset maker to incorporate additional functionality, leading to these flaws.

Cybersecurity

Also discovered is a memory corruption flaw impacting the GetApps app, which, in turn, originates from an Android library called LiveEventBus that Oversecured said was reported to the project maintainers over a year ago and remains unpatched to date.

The Mi Video app has been found to use implicit intents to send Xiaomi account information, such as username and email address via broadcasts, which could be intercepted by any third-party app installed on the devices using its own broadcast receivers.

Oversecured said the issues were reported to Xiaomi within a span of five days from April 25 to April 30, 2024. Users are advised to apply the latest updates to mitigate against potential threats.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking

Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking

1 day ago AndyC
New XM Cyber Research: 80% of Exposures from Misconfigurations, Less Than 1% from CVEs

New XM Cyber Research: 80% of Exposures from Misconfigurations, Less Than 1% from CVEs

2 days ago AndyC
China-Linked Hackers Adopt Two-Stage Infection Tactic to Deploy Deuterbear RAT

China-Linked Hackers Adopt Two-Stage Infection Tactic to Deploy Deuterbear RAT

2 days ago AndyC
Kimsuky APT Deploying Linux Backdoor Gomir in South Korean Cyber Attacks

Kimsuky APT Deploying Linux Backdoor Gomir in South Korean Cyber Attacks

2 days ago AndyC
CISA Warns of Actively Exploited D-Link Router Vulnerabilities - Patch Now

CISA Warns of Actively Exploited D-Link Router Vulnerabilities – Patch Now

2 days ago AndyC
New Wi-Fi Vulnerability Enables Network Eavesdropping via Downgrade Attacks

New Wi-Fi Vulnerability Enables Network Eavesdropping via Downgrade Attacks

2 days ago AndyC

You may have missed

North Korea-linked IT workers infiltrated hundreds of US firms

North Korea-linked IT workers infiltrated hundreds of US firms

11 hours ago AndyC
The who, where, and how of APT attacks – Week in security with Tony Anscombe

The who, where, and how of APT attacks – Week in security with Tony Anscombe

20 hours ago AndyC
Turla APT used two new backdoors to infiltrate a European ministry of foreign affairs

Turla APT used two new backdoors to infiltrate a European ministry of foreign affairs

1 day ago AndyC

Friday Squid Blogging: Emotional Support Squid

1 day ago AndyC

How to Protect Yourself on Social Networks

1 day ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.