[German]Chinese vendor Xiaomi ships smartphones with vulnerabilities: A themes app that tries to bypass Google's built-in Android security protection. In addition, security researchers have discovered a vulnerability in MediaTek chips that make the payment system integrated in Xiaomi smartphones vulnerable. Here's an overview of this two topics.
Xiaomi Themes app
German blog reader Sebastian H. brought an unpleasant observation to my attention on Sunday. The Chinese vendor Xiaomi is shipping a themes app that attempts to bypass Google's built-in Android security protection. Sebastian wrote:
Dear Mr. Born,
possibly this topic is interesting for you and suitable for a post in your (by the way very good and informative!) blog.
This morning I was greeted with a strange Android notification on my homescreen. It comes directly from Google's own PlayProtect, which is known to scan apps installed on the device for malware, viruses, trojans, etc.
Interestingly, the "evil" themes app comes directly from Xiaomi….. That certainly makes you sit up and take notice, doesn't it ? False alarm, small mistake on the part of Xiaomi or Google, political decision or in the worst case even a Gigaset-like scenario ?
Sebastian pointed me to several posts on reddit.com where other users are discussing the issue. The following screenshot is from this reddit.com post and shows a corresponding message from Google's Play Protect. stammt aus diesem reddit.com-Post und zeigt eine entsprechende Meldung von Googles Play Protect.
the message. Other posts on reddit.com can be found here and here. On August 13, 2022 with update to August 14, 2022, Xiaomi posted this message in the community. It states:
Themes APP Got Blocked by Google Play Protect
This alert is no longer issued and we are working together with Google to identify the cause of the issue.
If you still see the alert, but have not yet disabled the Themes APP, here's what you can do
It is confirmed that Google Play Protect blocks the Themes app. Actually, the warning should not appear anymore by now and the manufacturer is working with Google to solve the problem. So it seems to be a false alarm from Google Play Protect for now.
Vulnerabilities in Xiaomi payment mechanism
Mobile payment systems are prograssing, according to the latest statistics, the Far East and China accounted for two-thirds of global mobile payments in 2021. That's roughly equivalent to four billion U.S. dollars in mobile wallet transactions. The interest of hackers in gaining access or even control over virtual payment channels is therefore correspondingly high. That is why security researchers are taking a close look at the corresponding solutions.
Old app with vulnerabilities
Security researchers from Check Point Research (CPR) have found vulnerabilities in Xiami smartphones with MediaTek chips that allow payments to be forged and the payment system to be disabled directly from an unprivileged Android app.
The background is that Xiaomi can embed and sign its own trusted apps on the devices. CPR noted that attackers can transfer an old version of a trusted app to the device, overwriting the new app file. This allows an attacker to bypass security fixes and mechanisms made by Xiaomi or MediaTek in trusted apps by downgrading the apps to unpatched versions.
Check Point security researchers discovered several vulnerabilities in the trusted app "thhadmin", which is responsible for security management. These vulnerabilities could be exploited to spy on stored keys or execute code in the context of the app to perform malicious actions.
Background: Secure TEE, secure payments
The so-called trusted execution environment (TEE) has been an integral part of mobile devices for many years. Its main purpose is the processing and storage of sensitive security information such as cryptographic keys or fingerprints. Since mobile payment signatures are executed in the TEE, its security is instrumental to the security of payments.
Previously, the Asian market, which is mainly represented by smartphones with MediaTek chips, has not been extensively researched by CheckPoint or other companies. No one has examinedg trusted apps written by device makers like Xiaomi, even though security management and the core of mobile payments are implemented there. CheckPoint's study is the first to examine trusted applications written by Xiaomi for security issues. The study looks at the trusted applications of devices running MediaTek operating system. The test device used was the Xiaomi Redmi Note 9T 5G with MIUI Global 22.214.171.124 OS.
Integrated framework for mobile payments compromised
Xiaomi devices have an integrated mobile payments framework called "Tencent Soter" that provides an API (application programming interface) for third-party Android applications to integrate payment functions. Its main function is to enable the verification of payment packets transferred between a mobile application and a remote backend server. This is essentially the security that users rely on when making mobile payments.
Figure 1: Implementation of Tencent Soter on Xiaomi devices
According to Tencent, hundreds of millions of Android devices support Tencent Soter. WeChat Pay and Alipay are the two largest players in the Chinese digital payments industry. Together, they account for about 95 percent of China's mobile payments market. Each of these platforms has over one billion users. WeChat Pay is based on Tencent's Soter. If an app provider wants to implement its own payment system, including the backend that stores users' credit cards and bank accounts, without being tied to the WeChat app, it can use Tencent's Soter directly. This approach allows it to verify transactions in real time on its backend server and ensure that a payment package has been sent from its app installed on a particular device and approved by the user.
The vulnerability discovered by CPR, which Xiaomi refers to as CVE-2020-14125, fully compromises the Tencent Soter platform and allows an unauthorized user to sign forged payment packages.
During the investigation, CPR found a way to attack the platform built into Xiaomi smartphones, which is used by millions of users in China for mobile payments. An unprivileged Android application could exploit the CVE-2020-14125 vulnerability to execute codes in the trusted Wechat app and forge payment packages.
CPR responsibly shared all findings with Xiaomi. The vendor was able to confirm the vulnerabilities and based on the resulting collaboration, remediate the threat. The vulnerability was still patched by Xiaomi in June 2022 after disclosure. In addition, researchers were able to determine how the downgrade vulnerability in Xiaomi's TEE can allow the old version of the Wechat app to steal private keys. This presented read vulnerability was also patched by Xiaomi after disclosure and collaboration. The downgrade issue, which has been confirmed by Xiaomi and belongs to a third-party vendor, will be fixed soon. CheckPoint has published this post on the issue.
Cookies helps to fund this blog: Cookie settings