Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
thnThe Hacker NewsTHN:2AFF5CEDB7C9A4680B5436B75FCEEB9C
HistoryMay 06, 2024 - 10:03 a.m.

Xiaomi Android Devices Hit by Multiple Flaws Across Apps and System Components

2024-05-0610:03:00
The Hacker News
thehackernews.com
3
xiaomi
android
security vulnerabilities
system components
gallery
getapps
mi video
miui bluetooth
phone services
print spooler
security
settings
shareme
system tracing
xiaomi cloud
shell command injection
memory corruption
implicit intents

8.1 High

AI Score

Confidence

Low

JSON

Xiaomi Android Devices

Multiple security vulnerabilities have been disclosed in various applications and system components within Xiaomi devices running Android.

β€œThe vulnerabilities in Xiaomi led to access to arbitrary activities, receivers and services with system privileges, theft of arbitrary files with system privileges, [and] disclosure of phone, settings and Xiaomi account data,” mobile security firm Oversecured said in a report shared with The Hacker News.

Cybersecurity

The 20 shortcomings impact different apps and components like -

  • Gallery (com.miui.gallery)
  • GetApps (com.xiaomi.mipicks)
  • Mi Video (com.miui.videoplayer)
  • MIUI Bluetooth (com.xiaomi.bluetooth)
  • Phone Services (com.android.phone)
  • Print Spooler (com.android.printspooler)
  • Security (com.miui.securitycenter)
  • Security Core Component (com.miui.securitycore)
  • Settings (com.android.settings)
  • ShareMe (com.xiaomi.midrop)
  • System Tracing (com.android.traceur), and
  • Xiaomi Cloud (com.miui.cloudservice)

Some of the notable flaws include a shell command injection bug impacting the System Tracing app and flaws in the Settings app that could enable theft of arbitrary files as well as leak information about Bluetooth devices, connected Wi-Fi networks, and emergency contacts.

It’s worth noting that while Phone Services, Print Spooler, Settings, and System Tracing are legitimate components from the Android Open Source Project (AOSP), they have been modified by the Chinese handset maker to incorporate additional functionality, leading to these flaws.

Cybersecurity

Also discovered is a memory corruption flaw impacting the GetApps app, which, in turn, originates from an Android library called LiveEventBus that Oversecured said was reported to the project maintainers over a year ago and remains unpatched to date.

The Mi Video app has been found to use implicit intents to send Xiaomi account information, such as username and email address via broadcasts, which could be intercepted by any third-party app installed on the devices using its own broadcast receivers.

Oversecured said the issues were reported to Xiaomi within a span of five days from April 25 to April 30, 2023. Users are advised to apply the latest updates to mitigate against potential threats.

(A previous version of the story incorrectly mentioned the disclosure timeline as April 2024. It was disclosed in April 2023.)

Found this article interesting? Follow us on Twitter ο‚™ and LinkedIn to read more exclusive content we post.

8.1 High

AI Score

Confidence

Low

JSON