Xiaomi’s Mi 4 Found To Contain Pre-installed Malware, Other Software Security Issues

Chinese technology company Xiaomi may be growing in both reputation and income at a rate that few could have predicted, but with increased exposure comes problems that smaller manufacturers may not have to worry about. According to a new security report, it appears that Xiaomi may be in the middle of a security nightmare that could put some of its potential customers off from choosing a Xiaomi smartphone.

The bad news comes courtesy of data security firm Bluebox, which discovered that a Xiaomi Mi 4 device that it purchased directly from a retailer in China was pre-installed with malware amongst other software based nastiness.


Bluebox issued its report initially on Thursday and after reaching out to Xiaomi for comment, got no response back. In the time since then Xiaomi’s Hugo Barra has responded to the criticism, but the damange may already be done.

During its tests, Bluebox found that known malware was installed on the supposedly brand new smartphone, with Bluebox’s lead security analyst Andrew Blaich saying that the Mi 4 he tested was amazingly “vulnerable to every vulnerability we scanned for.” Further tests showed that the version of Android that the device was running appeared to be a combination of different versions of Google’s operating system rather than a certified one.

Mi4 2

What is really worrying though is that the device could well have been tampered with. Bluebox says that the device showed signs of some apps having different signatures to those used by the manufacturer which suggests that someone may have had their hands on the device before it reached Bluebox.

Barra seems to think that may be exactly what happened, given the language in his statement.

“We are certain the device that Bluebox tested is not using a standard MIUI ROM, as our factory ROM and OTA ROM builds are never rooted and we don’t pre-install services such as YT Service, PhoneGuardService, AppStats etc. Bluebox could have purchased a phone that has been tampered with, as they bought it via a physical retailer in China. Xiaomi does not sell phones via third-party retailers in China, only via our official online channels and selected carrier stores.”

Whatever the reason for the appearance of malware, it’s not a good sign for Xiaomi. If the Mi 4 that was tested had indeed been tampered with, the ease with which that was possible must be a concern for both the company and its users. At this point, if you really must buy a Xiaomi smartphone, we suggest getting it directly from Xiaomi rather than another retailer. And even then, we’re not so sure.

(Source: Bluebox)

You can follow us on Twitter, add us to your circle on Google+ or like our Facebook page to keep yourself updated on all the latest from Microsoft, Google, Apple and the Web.