UPDATE: Xiaomi has reached out to us with a statement regarding the Bluebox investigations. The full statement can be read here.
Bluebox, a data security firm, has claimed that Xiaomi’s popular Mi 4 smartphone comes pre-loaded with various malware, threatening the security of users’ data. The security firm conducted various tests, concluding that the smartphone is a serious security concern for user data.
Bluebox claimed that it purchased a Mi 4 smartphone off a local retailer in China, Xiaomi’s home market. Since China’s smartphone market is rife with counterfeit smartphones, a security researcher tested for the device’s legitimacy using Xiaomi’s own Mi Identification app. The device in question passed the test.
Sample of how the Mi Identification app works (via miui.com)
From there, Bluebox began combing the device’s software for vulnerabilities, and also used the company’s own security app, Trustable by Bluebox. The results were very concerning: this Mi 4 came pre-installed with six suspicious apps – one even disguised as a Google package. These apps vary from adware to full-on Trojan malware. Furthermore, the device came rooted and had USB debugging mode enabled.
Basically, Bluebox concluded, the Mi 4 is riddled with suspicious software out of the box – and it’s a massive security concern for those using the device.
Xiaomi, of course, is not happy about these allegations. And it looks like it has the facts to disprove Bluebox’s research. Hugo Barra, Xiaomi’s VP of Global Operations, issued a statement on the matter, and has been releasing the same statement to every media outlet which ran this story.
Firstly, Xiaomi questioned Bluebox’s decision to purchase the Mi 4 from a physical retail outlet – the security firm looks like it isn’t aware of Xiaomi’s online-only business model, where official units are only sold via its Mi.com website and official partners such as Flipkart in India and Lazada in Malaysia. This alone means that the device used in Bluebox’s research is highly likely to have been tampered with.
Further, while Xiaomi phones can be rooted by the user without voiding its warranty, none of them are shipped pre-rooted – the Mi 4 used by Bluebox was rooted, which allows greater access to system-level software. The statements can be read below:
“We are certain the device that Bluebox tested is not using a standard MIUI ROM, as our factory ROM and OTA ROM builds are never rooted and we don’t pre-install services such as YT Service, PhoneGuardService, AppStats etc. Bluebox could have purchased a phone that has been tampered with, as they bought it via a physical retailer in China. Xiaomi does not sell phones via third-party retailers in China, only via our official online channels and selected carrier stores.”
– Hugo Barra, VP Xiaomi International
Here’s a statement delivered to the media:
“It is likely that the Mi 4 that Bluebox obtained has been tampered with by a third party, because it was purchased from an unofficial channel. With the large parallel market for mobile phones of all brands in China, it is relatively common for third parties to tamper with the software sold on smartphones of any brands through such channels. Xiaomi only sells via Mi.com, and a small number of select Xiaomi trusted partners such as mobile operators.
Furthermore, contrary to what Bluebox has claimed, MIUI is true Android, which means MIUI follows exactly Android CDD, Google’s definition for compatible Android devices, and it passes all Android CTS tests, the process used by the industry to make sure a given device is fully Android compatible, both in China and international markets.”
– Hugo Barra, VP Xiaomi International
Regardless, Xiaomi isn’t entirely absolved of any blame here. While Bluebox may have conducted its tests on a tampered product, the firm did not receive any response from Xiaomi when contacted. The Chinese company has confirmed that it is now looking at why Bluebox’s communication was not received and dealt with, and will act accordingly. In addition, the company reiterates that consumers only purchase Xiaomi products from its Mi.com website to ensure that there is no tampering with the product in transit.
This isn’t the first time Xiaomi has faced allegations such as these. Last year, the company’s Redmi Note smartphone was found to be remotely pinging a server in China, which was revealed to be the MIUI ROM’s Messaging app requesting information to send “preset greeting messages”.