Xiaomi takes about 6% of the smartphone market and is among the top five sales leaders. The proprietary MIUI shell is used by millions of company gadget owners. Meanwhile, security experts from the Indian firm eScan Antivirus found in the firmware critical vulnerabilities that allow you to easily steal all data from a smartphone based on MIUI.
The bug lies in the application Mi Miover, which helps to restore personal information when moving from one Xiaomi device to another. Interestingly, the program bypasses the built-in protection mechanisms for Android. Thus, Mi Mover can transmit even sensitive data, for example, payment information. In order to start the transfer, you must enter the password from the smartphone.
The eScan team took Mi Max 2 and Redmi 4A and found that on both smartphones Mi Mover did not require a password, a graphic key or a fingerprint to get started. This means that with its help, attackers can clone device data with an unlocked screen directly through the firmware embedded in the firmware.
Another vulnerability is associated with administrative privileges for applications. With such privileges, the program can manage the smartphone and even erase all data from memory. Managing rights or removing an application with advanced access also requires a password, but Mi Max 2 did not require it.
Interestingly, Xiaomi denies the information from the report and recommended that gadget owners use a fingerprint scanner and on-screen passwords for security purposes.