Chinese company Xiaomi is releasing vulnerable smartphones with a themes app that tries to bypass Google's built-in Android security protection.
In addition, security researchers discovered a vulnerability in MediaTek chips that makes the payment system built into Xiaomi smartphones vulnerable.
Google's PlayProtect is known to scan apps installed on the device for malware, viruses, trojans, etc. So today there were reports from Google's security app that Xiaomi's themes app is malicious. A false alarm, a small mistake on the part of Xiaomi or Google, a political decision?
On reddit.com, however, there are many posts from users who discuss the matter. The image below is actually from this reddit.com post and shows a message from Google's Play Protect.
Other posts on reddit.com can be found here in the upcoming years, while here. On August 13, 2022 with an update on August 14, 2022, Xiaomi published this message on her forum:
The Themes app has been blocked by Google Play Protect. We are working with Google to identify the cause of the problem.
If you're still seeing the notification but haven't yet disabled the Themes app, here's what you can do
Actually Google Play Protect blocked the Themes app and the warning should no longer appear as the manufacturer is working with Google to resolve the issue. It might have been a false alarm from Google Play Protect.
Security gaps in Xiaomi's payment mechanism
Security researchers from Check Point Research (CPR) have identified security vulnerabilities in Xiami smartphones with MediaTek chips that allow payment forgery and disabling of the payment system by an unprivileged Android app.
Xiaomi can embed and sign its own trusted apps on the devices. But CPR said attackers can transfer an old version of a trusted app to the device, overwriting the new app file. This allows an attacker to bypass security fixes and mechanisms made by Xiaomi or the MediaTek chip.
Check Point security researchers discovered several security holes in the trusted “thhadmin” application, which is responsible for managing security. These security holes could be used to spy on stored keys or execute malicious code.
Xiaomi devices have a built-in mobile payment framework called “Tencent Soter”. The framework provides an API to third-party Android apps to integrate payment functions. Its main function is to enable verification of payment packets transferred between a mobile application and a remote backend server. This is essentially the security that users rely on when making mobile payments.
Hundreds of millions of Android devices support Tencent Soter. WeChat Pay and Alipay are the two biggest players in the Chinese digital payment industry. Together, they account for about 95 percent of China's mobile payments.
Each of these platforms has over a billion users. WeChat Pay is based on Tencent's Soter.
The vulnerability discovered by CPR, which Xiaomi lists as CVE-2020-14125, attacks the Tencent Soter platform and allows an unauthorized user to sign fake payment packages.
During the investigation, CPR found a way to attack the platform built into Xiaomi smartphones, which is used by millions of users in China for mobile payments. An unprivileged Android app could exploit the CVE-2020-14125 vulnerability to run malicious code on the trusted Wechat app and create payment packets.
The screenshot in the article is mine😂. Did I have it? Upload to reddit.