A vulnerability allows remote code execution (RCE) in its MIUI app Xiaomi for the Android operating system, in all versions of the application before MIUI Global Stable 7.2.
The vulnerability exists in the MIUI Analytics component, which is used by various applications of Android for the collection data of how their application is used on the user's device.
According to her Security Intelligence Group IBM, this element has a mechanism automaticupdate that allows MITM (Man-in-the-middle) attacks and can be used to distribute malware.
Because MIUI analytics does not verify the receipt of a packet, an attacker has the ability to execute its code with the privileged user privileges on the Android system.
The problem is that MIUI analytics uses HTTP to search for an update server but also to download packets. An attacker who monitors the update requests can use basic tampering techniques, and respond to the server name.
This answer naturally contains links to a malicious APK.
The case of vulnerability to Xiaomi software is very risky because the company is the third largest smartphone manufacturer in the world, after Samsung and Apple.
The company has over 70 more than a million 2015 devices, so you understand that too many are at risk, especially those who do not have the latest version of the operating system.
Researchers have informed Xiaomi about the issue since last January, and the company quickly released a new MIUI update that fixes vulnerability.