Millions of Xiaomi phones are at risk due to Malware.

Xiaomi Phones

According to the latest news, Millions of Xiaomi phones are vulnerable to that an attacker can install Malware remotely to it.

The vulnerability was found in the analytics package inn Xiaomi's custom built Android-based  operating system. Security researchers at IBM, who found the flaw, discovered a number of apps in the package that were vulnerable to a remote code execution flaw through a man-in-the-middle attack -- one of which would allow an attacker to run arbitrary code at the system-level.

In other words, an attacker could inject a link to a malicious Android app package, which is extracted and executed at the system level.

Xiaomi, the world's third-largest smartphone maker with more than 70 million devices shipped last year, fixed the flaw in a recent update.

Users should update their devices as soon as possible -- though, updates aren't (as far as we can tell) delivered over an encrypted channel.

This kind of attack vector, however, isn't new, and has been seen in other platforms.

These flaws rely on a lack of encryption and code-checking and verification. Because these updates aren't provided over an encrypted TLS (HTTPS) connection, they can be easily modified. Encryption prevents anyone from modifying the data in transit, and ensure that a man-in-the-middle attack is almost impossible to carry out.

It's not even the first time this kind of attack was discovered this year.

Earlier this year, a similar set of flaws were found in preinstalled software on Windows PCs -- so-called bloatware. This meant millions of laptops and desktops were at risk of having malware injected as it's being downloaded from the internet.

The researchers who found the vulnerabilities said that the "average potted plant" could exploit the flaws.
Fortunately, the vulnerability has been fixed now.

If you found this article useful, Share this article using share buttons below the article.