Late last week, mobile security company Bluebox, came out with a damning report about security concerns it found with the Xiaomi Mi 4. The report, close on the heels of Lenovo’s Superfish episode, claimed that the Mi 4 comes pre-installed with malware, adware and spyware. The report went on to say that the Mi 4 was “vulnerable for every vulnerability we scan for.” Xiaomi refutes the claims and suggests that the smartphone Bluebox had bought was likely to be a counterfeit device. UPDATE: Xiaomi has confirmed that the unit was “100 percent proven to be a counterfeit product purchased through an unofficial channel on the streets in China.”
Xiaomi has sent a statement to BGR India where they mention the product used by Bluebox to conclude Xiaomi was pre-installing malware was a counterfeit product. Even Bluebox has confirmed that the product was counterfeit and hence, its findings were inaccurate.
First some background. Bluebox procured a Mi 4 from an unofficial third-party reseller in China. The security firm claimed it did some tests to ensure the smartphone was not a counterfeit and it was satisfied that it was a legitimate Xiaomi product. It followed it up with some basic tests that revealed six pre-installed apps that were classified to be known malware, adware or spyware.
Further, the firm also found that their Mi 4 unit was already rooted and came pre-enabled with developer debugging function. It also found that the phone’s internal storage memory had a hidden folder with some popular benchmarking apps but those were resigned, hinting that they were tampered and were different from the authentic version. It also found that the ROM was already rooted.
BGR India reached out to Xiaomi and the Chinese smartphone vendor refuted all claims made by Bluebox. It also suggested the possibility that the security company could have bought a counterfeit product.
“There are glaring inaccuracies in the Bluebox blog post. Official Xiaomi devices do not come rooted and do not have malware pre-installed. Our investigation based on information received so far indicates that the phone Bluebox obtained is a counterfeit product purchased through an unofficial channel on the streets in China. We’re gathering more information to fully confirm this and should have a final answer in the next 24 hours,” Xiaomi said in a statement. (Read the complete statement at the end.)
Bluebox also found some mismatches between Android versions and MIUI, which suggested that the forked operating system was a patchwork of different versions of Android. It also found that the OS was most likely to be a test software and not the final consumer version. Bluebox also reported that MIUI wasn’t certified by Google, a claim Xiaomi calls inaccurate.
“Contrary to what Bluebox has claimed, MIUI is true Android, which means MIUI follows exactly Android CDD, Google’s definition for compatible Android devices, and it passes all Android CTS tests, the process used by the industry to make sure a given device is fully Android compatible. All Xiaomi devices sold in China and international markets are fully Android compatible,” the statement continued.
Based in San Francisco, Bluebox was founded in 2012 and claims to provide mobile data security solutions for enterprises. It is backed by $27.5 million from Andreessen Horowitz, Tenaya Capital, and Andreas Bechtolsheim. The company was evaluating the Xiaomi Mi 4 as a BYOD option for employees and found it to score very low on its “Trustable” score. However, the results would be worthless if the Mi 4 it tested does indeed turn out to be a counterfeit product.
Last month Lenovo came under a lot of fire when reports emerged the company had pre-installed an adware, called Superfish, on some models of its consumer laptops. Superfish broke SSL protocols, enabling it to snoop on secure communications. The company stopped pre-installing the software and offered a tool to remove it from affected laptops.
“Our goal is to find technologies that best serve users. In general, we get pretty good feedback from users on what software we pre-install on computers and do our due diligence. Obviously in this case we didn’t do enough. The intent of loading this tool was to help enhance our users’ shopping experience. What we’re going to do in the next few weeks is dig deeper, and work with users, industry experts and others to see how we can improve what we do around software that comes installed on consumers’ computers. The outcome could be a clearer description of what software is on a user’s machine, and why it’s there,” said a Lenovo spokesperson in response to BGR India’s questions at the time of the Superfish episode.
For Xiaomi, another key question revolving around security would be the fact that most of its smartphones run on an older version of Android and Xiaomi rarely pushes Android updates to smartphones. This could probably make its smartphones vulnerable to security holes that Google fixes in every software update. In response to BGR India’s question, the smartphone maker said it regularly pushed out security updates rather than waiting for platform updates.
“We prioritize security updates over platform updates (via backporting). We have one of the industry’s strongest security software teams and we make sure that our devices are always running the most secure software,” a Xiaomi spokesperson told BGR India.
Here’s the initial official statement Xiaomi sent to BGR India. We are expecting another follow up statement soon.
There are glaring inaccuracies in the Bluebox blog post. Official Xiaomi devices do not come rooted and do not have malware pre-installed. Our investigation based on information received so far indicates that the phone Bluebox obtained is a counterfeit product purchased through an unofficial channel on the streets in China. We’re gathering more information to fully confirm this and should have a final answer in the next 24 hours.
With the large parallel street market for mobile phones in China, not only is it somewhat common for third parties to tamper with the software sold on smartphones, but there are counterfeit products which are almost indistinguishable from the original products on the outside. This happens across all brands, affecting both Chinese and foreign smartphone companies selling in China.
Furthermore, “entrepreneurial” retailers may add malware and adware to these devices, and even go to the extent of pre-installing modified copies of popular benchmarking software such as CPU-Z and Antutu, which will run “tests” showing the hardware is legitimate — fooling even very discerning buyers.
Xiaomi takes all necessary measures to crack down on the manufacturers of fake devices or anyone who tampers with our software, supported by all levels of law enforcement agencies in China. However, for the safety of our users, Xiaomi and all smartphone brands always recommend buying phones through authorised channels. Xiaomi only sells via Mi.com, and a small number of Xiaomi trusted partners including mobile operators and select authorised retailers, such as Flipkart in India.
In addition, contrary to what Bluebox has claimed, MIUI is true Android, which means MIUI follows exactly Android CDD, Google’s definition for compatible Android devices, and it passes all Android CTS tests, the process used by the industry to make sure a given device is fully Android compatible. All Xiaomi devices sold in China and international markets are fully Android compatible.