A number of safety vulnerabilities have been disclosed in numerous functions and system parts inside Xiaomi units operating Android.
“The vulnerabilities in Xiaomi led to access to arbitrary activities, receivers and services with system privileges, theft of arbitrary files with system privileges, [and] disclosure of phone, settings and Xiaomi account data,” cell safety agency Oversecured stated in a report shared with The Hacker Information.
The 20 shortcomings affect completely different apps and parts like –
- Gallery (com.miui.gallery)
- GetApps (com.xiaomi.mipicks)
- Mi Video (com.miui.videoplayer)
- MIUI Bluetooth (com.xiaomi.bluetooth)
- Telephone Providers (com.android.telephone)
- Print Spooler (com.android.printspooler)
- Safety (com.miui.securitycenter)
- Safety Core Element (com.miui.securitycore)
- Settings (com.android.settings)
- ShareMe (com.xiaomi.midrop)
- System Tracing (com.android.traceur), and
- Xiaomi Cloud (com.miui.cloudservice)
Among the notable flaws embody a shell command injection bug impacting the System Tracing app and flaws within the Settings app that would allow theft of arbitrary information in addition to leak details about Bluetooth units, related Wi-Fi networks, and emergency contacts.
It is price noting that whereas Telephone Providers, Print Spooler, Settings, and System Tracing are reputable parts from the Android Open Supply Undertaking (AOSP), they’ve been modified by the Chinese language handset maker to include further performance, main to those flaws.
Additionally found is a reminiscence corruption flaw impacting the GetApps app, which, in flip, originates from an Android library referred to as LiveEventBus that Oversecured stated was reported to the challenge maintainers over a yr in the past and stays unpatched so far.
The Mi Video app has been discovered to make use of implicit intents to ship Xiaomi account data, akin to username and e-mail deal with through broadcasts, which may very well be intercepted by any third-party app put in on the units utilizing its personal broadcast receivers.
Oversecured stated the problems have been reported to Xiaomi inside a span of 5 days from April 25 to April 30, 2024. Customers are suggested to use the most recent updates to mitigate towards potential threats.
