Multiple security vulnerabilities have been uncovered in various applications and system components within Xiaomi devices running Android.
“Xiaomi vulnerability allows system privileges to perform arbitrary activities, access receivers, services, steal arbitrary files with system privileges, [and] “Disclosure of mobile phone, settings, and Xiaomi account data,” mobile security company Oversecure said in a report shared with Hacker News.
The 20 drawbacks affect a variety of apps and components, including:
- Gallery (com.miui.gallery)
- GetApps (com.xiaomi.mipicks)
- Mi Video (com.miui.videoplayer)
- MIUI Bluetooth (com.xiaomi.bluetooth)
- Phone service (com.android.phone)
- Print spooler (com.android.printspooler)
- Security (com.miui.securitycenter)
- Security Core Component (com.miui.securitycore)
- Settings (com.android.settings)
- ShareMe (com.xiaomi.midrop)
- system trace (com.android.traceur), and
- Xiaomi Cloud (com.miui.cloudservice)
Notable flaws include a shell command injection bug that affects the System Trace app, a flaw in the Settings app that allows the theft of arbitrary files, and a flaw in the Settings app that affects Bluetooth devices, connected Wi-Fi networks, and emergency contacts. This includes leaking information about the destination.
Phone services, print spooler, settings, and system tracing are regular components of the Android Open Source Project (AOSP), but they have been modified by Chinese phone manufacturers to include additional functionality, leading to these flaws. Please note in particular.
We also discovered a memory corruption flaw affecting the GetApps app. The flaw originates from an Android library called LiveEventBus, and according to Overcured, the flaw was reported to his project administrator over a year ago and has not been patched to date.
The Mi Video app is found to use implicit intents to send Xiaomi account information such as username and email address via broadcast, and the information is sent via broadcast using its own broadcast receiver. can be intercepted by third-party apps installed on your device.
Oversecure said the issue was reported to Xiaomi within a five-day period from April 25, 2024 to April 30, 2024. Users are advised to apply the latest updates to mitigate potential threats.