Xiaomi Mi 4 Flagship Hiding Malware, Spyware, and Adware?

By on
Bluebox Security tested a Xiaomi Mi 4 LTE and claims to find major security issues, including pre-installed malware among others. (Image courtesy of Xiaomi)

The Xiaomi Mi 4, a popular and top-selling handset in China and select countries, allegedly comes with built-in malware and a vulnerable version of the Android OS.

The Bluebox report

On Thursday last week, a data security firm called Bluebox released a report about their tests for the Chinese device maker?s current flagship, the Xiaomi Mi 4, specifically the LTE version. Unfortunately for Xiaomi, the device didn?t exactly pass with flying colors.

The firm mentioned that it initially conducted some tests to make sure that the model they have was not a counterfeit as such devices are common in China. It was followed up with several tests revealing that the handset is riddled with a handful of software that are known to be malware, spyware, or adware.

Malicious pre-installed content

Bluebox reported that upon testing the Xiaomi Mi 4 model in their possession, they found out that it is riddled with several security risks with different types of suspicious software including pre-installed apps such as AppStats, PhoneGuardService, and Yt Service. The former is apparently used to push ads to a user?s device while AppStats and PhoneGuardService were classified as malware and Trojan, respectively.

Andrew Blaich, a Bluebox lead security analyst, further said that the Android version running the Mi 4 is not certified by Google and appeared to be a combination of Android 4.4.4 KitKat and another older Android version.

Xiaomi?s reaction

The first version of the Bluebox report was posted on Thursday, after saying that the firm has not received any response from Xiaomi regarding the tests they conducted. On Friday, however, Xiaomi?s PR Team and Hugo Barra, the company?s VP International, finally responded. Here?s a relevant portion of the reply as published by Bluebox:

?We are certain the device that Bluebox tested is not using a standard MIUI ROM, as our factory ROM and OTA ROM builds are never rooted and we don?t pre-install services such as YT Service, PhoneGuardService, AppStats etc. Bluebox could have purchased a phone that has been tampered with, as they bought it via a physical retailer in China. Xiaomi does not sell phones via third-party retailers in China, only via our official online channels and selected carrier stores.?

While the reaction brought significant details about the actual device tested by the firm and the mean by which it was procured, Bluebox raises a further concerns. They pointed out how easy it may be to attack the manufacturer?s products at retail level, whether it be via third party resellers or while the devices are in transit when consumers purchased them from the official online store.


Photo Credit: ?Xiaomi

About the author

To Top