“Chinese Apple” can install on your smartphone any app without the knowledge of users
It is no secret that Android manufacturers Xiaomi, HTC, Samsung and OnePlus does not use a “clean” version of the operating system, and a custom firmware with preinstalled applications and themes. Theoretically, these programs are designed to improve the performance of smartphones and add functionality. However, some applications inherently are baccarani.
As reported by Securitylab, a student from the Netherlands This Broenink decided to find out what unknown programs AnalyticsCore.apk pre-installed on his smart phone Xiaomi Mi4. The app works in the background 24 hours a day, 7 days a week, and recovering from attempts to remove it.
Broenink asked what is the function AnalyticsCore, support forum, Xiaomi. And without waiting for a response, he made the reverse-engineering of the application. As it turned out, it connects to the official server of the manufacturer and checks for available updates once every 24 hours. Each time you connect AnalyticsCore sends to the server information about the device, including model name, IMEI, MAC address and a Nonce.
If you have the server updated application with the name of the file Analytics.apk it downloaded and installed on the device in the background without any involvement from the user. “I have not found any evidence in the code itself AnalyticsCore, but I assume that the Xiaomi app with elevated privileges, performs the installation process in the background,” said Broening.
The question arises, whether the smartphone the authenticity of APK, and how determines that the downloaded application is really AnalyticsCore? According to the researcher, any APK verification mechanisms do not exist, and thus, Xiaomi can remotely and silently install on your device any app by downloading it on your server under the name AnalyticsCore.apk.
To know the purpose of the program Broenink and failed. To find information about it online and even on the official website of the manufacturer impossible, so we can only guess why Xiaomi installs on their devices. In addition to the company itself, are bedorom can government intelligence agencies or cybercriminals.
Because AnalyticsCore receives updates over an insecure Protocol, attackers can implement the attack “man in the middle. “Personally, I think that this is a vulnerability, because [the manufacturer] is known IMEI and model of your phone and they can install any APK specifically for this device” — said the researcher.
The Xiaomi smartphone owners can protect themselves by blocking with firewall connection to any associated with domain.