UPDATED with comment from Xiaomi.
Toss out your Xiaomi and Huawei phones, but keep the OnePlus ones, warns the government of Lithuania following the publication of its own report about the security of Chinese-made 5G smartphones.
"Our recommendation is to not buy new Chinese phones, and to get rid of those already purchased as fast as reasonably possible," Lithuanian Deputy Defense Minister Margiris Abukevicius told reporters during the unveiling of the report from Lithuania's National Cyber Security Center, according to Reuters.
- China reportedly spying on 'tens of thousands' of Americans via phones
- The best Android antivirus apps
- Plus: Three unpatched iOS 15 security flaws put online — what to know
Xiaomi seems to do the bidding of the Chinese government in ways that could threaten users in the West, the report argues, including putting a censorship module in its phones and secretly communicating with Chinese-run servers worldwide. Meanwhile, Huawei's lax app-installation process can get your phone infected by Android malware.
As for OnePlus, its phones weren't found by the study's authors to be doing anything nefarious. The researchers were following up on reports over the past few years that all three brands engaged in possibly shady behavior.
Neither Xiaomi nor Huawei have carrier partnerships or direct distribution in the United States, although their relatively inexpensive phones are easy to buy from major online retailers. The brands are widely known and used in Europe.
What to do if you have a Huawei or Xiaomi phone
As with all Android phones, you'll want to install and use some of the best Android antivirus apps while using these devices. The built-in Google Play Protect on Xiaomi phones doesn't cut it, and we don't know what kind of built-in protection Huawei phones have.
You'll also want to avoid using all app stores other than the built-in AppGallery on a Huawei phone. Those third-party stores often have corrupted versions of well-known apps that secretly contain malware.
Regarding Xiaomi, it's a tougher call. The allegations laid out in the Lithuanian government report are pretty suspicious, even if the censorship module seems to be turned off in phones sold in Europe.
Likewise, the secret Xiaomi communications might possibly be explained as part of normal operations, but the researchers weren't able to determine that because they couldn't crack the encrypted messages. You'll have to decide for yourself whether you want to keep using a Xiaomi phone.
Xiaomi dormant censorship
The Lithuanian researchers found that the Xiaomi Mi 10T regularly updated a file called "MiAdBlacklistConfig" that held a built-in list of nearly 450 taboo Chinese phrases, including "Free Tibet," "Democratic Movement" and "Long live Taiwan's independence."
All are phrases that the Chinese government doesn't want its citizens to see. The phone has built-in filters that are supposed to block users from viewing any kind of media associated with those phrases.
The censorship filter was deactivated for phones sold in the European Union, to which Lithuania belongs, but the researchers said it could easily be flipped on remotely by Xiaomi.
"The existence of such functionality may jeopardize free access to information and limit its accessibility," stated the report. "This is important not only for Lithuania, but also for all countries using Xiaomi devices."
The Xiaomi phone also secretly communicated with a Chinese-owned server in Singapore when the user signed up to use Xiaomi's cloud functions, which include phone backups and lost-device location services.
Communication with remote servers is normal during such procedures, but in this case, the Xiaomi phone sent a (somehow) encrypted SMS message to the server without the user's knowledge, and deleted the sent message from the phone's text-message log immediately afterward.
"Investigators were unable to read the contents of this encrypted message, so we can't tell you what information the device sent," one of the report's co-authors told The Record.
The behavior did not happen once the Xiaomi Cloud service was disabled.
"Automated sending of messages and its concealment by means of software pose potential threats to the security of the device and personal data," warned the Lithuanian government report. "In this way, without the user's knowledge, device data can be collected and transmitted to remote servers."
The Xiaomi phone also sent what the researchers called "a relatively large amount of information" about phone configuration, apps and processes, as well as user behavior, to Google Analytics and a similar Chinese firm called Sensor Data.
It also sent "statistical data on the activity of certain applications" to servers across the globe run by the Chinese internet company Tencent.
Backdoor to malware
The Huawei P40 wasn't found to be censoring or spying, but did pose a pretty serious security risk because it regularly reached out to off-road app stores where malicious apps are known to lurk.
Huawei's default app store is Huawei's own AppGallery. But if the user searches for an app that's not in the AppGallery, then the phone will search third-party app stores, including but not limited to APKMonk, APKPure and Aptoide.
The user will be warned that they're being redirected to off-road stores over which Huawei has no control, and must authorize the jump out of the AppGallery. Nonetheless, the Lithuanian researchers came across three malicious apps through this process while using the Huawei P40.
"Such applications can be downloaded and installed by the user on the mobile phone, thereby jeopardizing the security of the device and the data contained in it," the report said.
Update: Xiaomi statement
In response to a request for comment, Xiaomi provided Tom's Guide with this statement, in full.
"Xiaomi's devices do not censor communications to or from its users. Xiaomi has never and will never restrict or block any personal behaviours of our smartphone users, such as searching, calling, web browsing or the use of third-party communication software. Xiaomi fully respects and protects the legal rights of all users. Xiaomi complies with the European Union's General Data Protection Regulation (GDPR)."