Over the past few days, a little known but well funded mobile security firm, Bluebox, published a report claiming Xiaomi was pre-installing malware on its Mi 4 smartphone. The report also claimed that Xiaomi was shipping the Mi 4 with a rooted ROM and came pre-installed with tampered versions of popular benchmarking apps. It also claimed that Xiaomi’s own identifier app showed that the phone was a legitimate Xiaomi product, raising questions on the security of products made by one of the fastest rising smartphone brand in South East Asia. However, as it turns out, the smartphone Bluebox had acquired through an unofficial source in China was nothing more than a sophisticated counterfeit. But how did a startup, with $27.5 million in funding from Andreessen Horowitz, Tenaya Capital, and Andreas Bechtolsheim fell for a counterfeit product?
Before we go into how Bluebox tested the phone, it is clear from the outset that the company had little understanding of the Chinese market and how counterfeiting is rampant there. It is not just the Apple iPhones and Samsung Galaxies that get counterfeited there but even local Chinese smartphone brands that are popular but are limited in supply. Xiaomi is a perfect example, as thousands of units of its smartphones get snapped up within minutes if not seconds during flash sales. However, the counterfeiting is quite contained internally, since strict import regulations and checks ensure that these units never make it to western countries.
Xiaomi also happens to be one of the most-talked about brand in the US, especially after its meteoric rise in the smartphone space, some high-profile hirings and its multi-fold increase in valuation. However, not many there understand what the brand is all about, its MIUI operating system on top of Android or the reason of its popularity. The common narrative is that Xiaomi is a brand that copied Apple’s hardware design and iOS UI and sold devices for cheap. The misconception is clear from Bluebox’s initial claim that MIUI was “a forked (not certified) form of Android and does not contain Google services.”
In reality, MIUI is actually certified and comes with Google services outside China, where Google services are banned. “Contrary to what Bluebox has claimed, MIUI is true Android, which means MIUI follows exactly Android CDD, Google’s definition for compatible Android devices, and it passes all Android CTS tests, the process used by the industry to make sure a given device is fully Android compatible. All Xiaomi devices sold in China and international markets are fully Android compatible,” Xiaomi had told BGR India in its initial statement.
The first mistake Bluebox committed was to buy a Mi 4 from an illegitimate source. This is Security 101 – if you are embarking on a report to find whether a smartphone (or any other device) is secure or not, you should acquire it from legitimate retail channels. Neither did Bluebox commit this amateur error, it did not even undertake any background check on its reseller itself.
What is also baffling is that Bluebox went for the Chinese version when it seems the company had no one who could understand Chinese. Things would have been much simpler had Bluebox hired someone with some basic Chinese understanding and some local knowledge of the Chinese smartphone market. Or it could have simply gone for an international variant like the one available in India, which comes with English UI and with Google Mobile Services. At least that would have brought them some clarity about MIUI and also ensured it was a legitimate product.
Bluebox claimed that Xiaomi’s phone identifier app also claimed it was a legitimate product. Only if the researchers had done some, well, research, they would have understood how the phone identifier worked. Unfortunately, Xiaomi’s documentation for the app was only available in Chinese. Bluebox fell for a fake identifier app that simply showed the phone was legit by diagnosing the specifications locally. The real app however asks users to go to a website, scan a code and the phone then sends some hardware details in encrypted form to Xiaomi’s servers. Whether the phone is legit or counterfeit is again shown on that website only and not on the phone locally.
Xiaomi could have done better by having English support for its verification app. “We have so far not received meaningful reports of counterfeit Mi phones outside of China. However, to give our international users peace of mind, an English version of our verification app (that certifies the authenticity of Mi hardware) is in the works,” the company said in a statement issued to BGR India.
There were enough red flags for Bluebox even during its testing to sense something was wrong. The pre-installed benchmark apps on the phone’s internal storage that replaced legit benchmark apps a user downloaded to spoof benchmark results, for instance, should have been a dead giveaway. It is also baffling that Bluebox would come to these damaging conclusions based on just one unit that was sourced through dubious means.
Eventually, I believe the lack of understanding of Xiaomi and its products undid Bluebox. Had the researchers spent some time understanding MIUI and its variants outside China that come with Google Mobile Services, the narrative could have been different.
Here’s Xiaomi’s final statement issued to BGR India on how the two companies came to the conclusion that the product was counterfeit and Bluebox’s findings were completely inaccurate:
On March 5 2014, Bluebox published an initial report on their website claiming that a Mi 4 bought in China comes pre-installed with malware. Here’s our response after careful investigation:
- Xiaomi and Bluebox have confirmed that the device Bluebox obtained is a counterfeit product.
- Bluebox’s reported findings are therefore inaccurate and not representative of Mi phones.
- We always recommend our users buy Mi phones only through our official channels, including Mi.com and select partners such as mobile operators and authorised retailers.
- All Mi phones sold around the world are verified to be fully Android compatible.
We have concluded our investigation on this topic — the device Bluebox obtained is 100 percent proven to be a counterfeit product purchased through an unofficial channel on the streets in China. It is therefore not an original Xiaomi product and it is not running official Xiaomi software, as Bluebox has also confirmed in their updated blog post.
- Hardware: Xiaomi hardware experts have looked at the internal device photos provided to us by Bluebox and confirmed that the physical hardware is markedly different from our original Mi 4.
- IMEI number: Xiaomi after-sales team has confirmed that the IMEI on the device from Bluebox is a cloned IMEI number which has been previously used on other counterfeit Xiaomi devices in China.
- Software: Xiaomi MIUI team has confirmed that the software installed on the device from Bluebox is not an official Xiaomi MIUI build as our devices do not come rooted and do not have any malware pre-installed.
As this device is not an original Xiaomi product, and not running an official Xiaomi MIUI software build, Bluebox’s findings are completely inaccurate and not representative of Xiaomi devices. We believe Bluebox jumped to a conclusion too quickly without a fully comprehensive investigation (for example, they did not initially follow our published hardware verification process correctly due to language barrier) and their attempts to contact Xiaomi were inadequate, considering the severity of their accusations.
With the large parallel street market for mobile phones in China, there exists counterfeit products that are almost indistinguishable on the outside. This happens across all brands, affecting both Chinese and foreign smartphone companies selling in China. Furthermore, “entrepreneurial” retailers may add malware and adware to these devices, and even go to the extent of pre-installing modified copies of popular benchmarking software such as CPU-Z and Antutu, which will run “tests” showing the hardware is legitimate — fooling even very discerning buyers.
Xiaomi takes all necessary measures to crack down on the manufacturers of fake devices or anyone who tampers with our software, supported by all levels of law enforcement agencies in China.
We have so far not received meaningful reports of counterfeit Mi phones outside of China. However, to give our international users peace of mind, an English version of our verification app (that certifies the authenticity of Mi hardware) is in the works.
Like all other consumer electronics brands, we always recommend buying Mi phones through authorized channels. Xiaomi only sells via Mi.com, and a small number of Xiaomi trusted partners including mobile operators and select authorized retailers, such as Flipkart in India and others that will be announced in the future.
In addition, contrary to what Bluebox has claimed, MIUI is true Android, which means MIUI follows exactly Android CDD, Google’s definition for compatible Android devices, and it passes all Android CTS tests, the process used by the industry to make sure a given device is fully Android compatible. All Xiaomi devices sold in China and international markets are fully Android compatible.