A computer science student, Thijs Broenink has found that one of the pre-installed apps that come with Xiaomi smartphones ‘AnalyticsCore (AnalyticsCore.apk)‘ is an app that sends device information (IMEI, MAC address, Model, Nonce, Package name and signature) to Xiaomi as well as checks for updates daily from Xiaomi’s server and install them. He made the discovery when out of curiosity, he reverse-engineered the pre-installed apps to see what they actually do.
Broenink found that the download of update is done over HTTP which means it could be tampered with in transit and replaced with a malicious file. The access granted by the app also gives Xiaomi the power to silently replace signed apps within 24 hours on all devices sold by them.
In response, a Xiaomi spokesperson told The Hacker News that a successful attack on the “self-upgrade” feature by a random attacker is impossible, as the MIUI’s (Xiaomi’s Android firmware for mobile devices) checks the signature of the Analytics.apk app during installation, and will not install any app that has not be signed by Xiaomi. He also noted that “Starting from MIUI V7.3 released in April/May, HTTPS was enabled to further secure data transfer, to prevent any man-in-the-middle attacks,”
To completely block access for this app, users can use an ad-blocking app with root access to blacklist Xiaomi related webservers as uninstalling the app does not work because it reinstalls itself after a while.