A vulnerability in Xiaomi's MIUI platform could allow hackers to break into devices and install malware remotely, IBM researchers have discovered.
The flaw was found in multiple applications within Xiaomi's analytics package, which forms part of its custom-built Android operating system. These applications, including the built-in browser app, could be targeted by a man-in-the-middle attack, which means remote hackers can run code at the system level.
"This attack also involved code injection inside of the update framework. These attack vectors are not new and have been previously disclosed in other platforms," IBM said.
When the program had determined which version of the firmware the device is running, it would then download and execute the Android application package to the file system within the local application sandbox context, where it is loaded by the host application and executed.
In a blog post, IBM explained the flaw had been remediated by Xiaomi from MIUI Global Stable version 7.2, but users should still update their devices as soon as possible, to eradicate the issue completely.
"Developers should take care to only transact code-related data over a verified, secure transport with certificate pinning such as TLS. Additionally, the code itself should be cryptographically signed and properly verified by the host application prior to execution," Roee Hay, X-Force application security research team leader at IBM said.
"Furthermore, we believe that a discussion should take place as to whether any application should have the ability to execute unsigned code via DexClassLoader, dynamic library injection or any other method on the Android platform."
The company said it would like to commend Xiaomi's security team for responding quickly to the threat, saying that within days of the disclosure, the vulnerability was confirmed and classified and IBM was provided with details of when a fix would be delivered.
-
RSAC Conference 2025: The front line of cyber innovationITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
Anthropic CEO Dario Amodei thinks we're burying our heads in the sand on AI job lossesNews With AI set to hit entry-level jobs especially, some industry execs say clear warning signs are being ignored
-
Put AI to work for IT operationswhitepaper Reduce the cost and complexity of managing hybrid applications
-
AI in the retail industry is spreading beyond the IT departmentNews AI has become a strategic imperative for retailers, delivering marked productivity gains
-
Maximizing contact center operations with generative AI assistants backed by responsible AI principleswhitepaper Reduce the cost and complexity of managing hybrid applications
-
IBM just launched powerful new open source AI models – here’s what you need to knowNews Available under the Apache 2.0 license, IBM's Granite 3.0 models are trained on enterprise data and can out-perform the competition
-
Achieving business outcomes with generative AIWebinar Take your hybrid cloud journey to the next level with generative AI
-
Wimbledon’s new Catch Me Up AI feature promises to keep fans up to date at the tournament – after it irons out some of the wrinklesNews The latest feature to come out of IBM’s partnership with Wimbledon will keep fans engaged from the early stages right through to the final with dynamic player insights
-
AI demands new ways of data managementwhitepaper The data leader’s guide for how to leverage the right databases for applications, analytics and generative AI
-
AI governance for responsible transparent and explainable AI workflowswhitepaper Build greater trust in your AI
