Don't use these Chinese smartphones, European government warns

Three generic smartphones side-by-side displaying a montage of the Chinese national flag and a padlock.
(Image credit: Future)

UPDATED with comment from Xiaomi.

Toss out your Xiaomi and Huawei phones, but keep the OnePlus ones, warns the government of Lithuania following the publication of its own report about the security of Chinese-made 5G smartphones. 

"Our recommendation is to not buy new Chinese phones, and to get rid of those already purchased as fast as reasonably possible," Lithuanian Deputy Defense Minister Margiris Abukevicius told reporters during the unveiling of the report from Lithuania's National Cyber Security Center, according to Reuters.

Xiaomi seems to do the bidding of the Chinese government in ways that could threaten users in the West, the report argues, including putting a censorship module in its phones and secretly communicating with Chinese-run servers worldwide. Meanwhile, Huawei's lax app-installation process can get your phone infected by Android malware. 

As for OnePlus, its phones weren't found by the study's authors to be doing anything nefarious. The researchers were following up on reports over the past few years that all three brands engaged in possibly shady behavior.

Neither Xiaomi nor Huawei have carrier partnerships or direct distribution in the United States, although their relatively inexpensive phones are easy to buy from major online retailers. The brands are widely known and used in Europe.

What to do if you have a Huawei or Xiaomi phone

As with all Android phones, you'll want to install and use some of the best Android antivirus apps while using these devices. The built-in Google Play Protect on Xiaomi phones doesn't cut it, and we don't know what kind of built-in protection Huawei phones have.

You'll also want to avoid using all app stores other than the built-in AppGallery on a Huawei phone. Those third-party stores often have corrupted versions of well-known apps that secretly contain malware.

Regarding Xiaomi, it's a tougher call. The allegations laid out in the Lithuanian government report are pretty suspicious, even if the censorship module seems to be turned off in phones sold in Europe. 

Likewise, the secret Xiaomi communications might possibly be explained as part of normal operations, but the researchers weren't able to determine that because they couldn't crack the encrypted messages. You'll have to decide for yourself whether you want to keep using a Xiaomi phone.

Xiaomi dormant censorship

The Lithuanian researchers found that the Xiaomi Mi 10T regularly updated a file called "MiAdBlacklistConfig" that held a built-in list of nearly 450 taboo Chinese phrases, including "Free Tibet," "Democratic Movement" and "Long live Taiwan's independence." 

All are phrases that the Chinese government doesn't want its citizens to see. The phone has built-in filters that are supposed to block users from viewing any kind of media associated with those phrases. 

The censorship filter was deactivated for phones sold in the European Union, to which Lithuania belongs, but the researchers said it could easily be flipped on remotely by Xiaomi.

"The existence of such functionality may jeopardize free access to information and limit its accessibility," stated the report. "This is important not only for Lithuania, but also for all countries using Xiaomi devices."

Secret communications

The Xiaomi phone also secretly communicated with a Chinese-owned server in Singapore when the user signed up to use Xiaomi's cloud functions, which include phone backups and lost-device location services. 

Communication with remote servers is normal during such procedures, but in this case, the Xiaomi phone sent a (somehow) encrypted SMS message to the server without the user's knowledge, and deleted the sent message from the phone's text-message log immediately afterward.

"Investigators were unable to read the contents of this encrypted message, so we can't tell you what information the device sent," one of the report's co-authors told The Record.

The behavior did not happen once the Xiaomi Cloud service was disabled.

"Automated sending of messages and its concealment by means of software pose potential threats to the security of the device and personal data," warned the Lithuanian government report. "In this way, without the user's knowledge, device data can be collected and transmitted to remote servers."

The Xiaomi phone also sent what the researchers called "a relatively large amount of information" about phone configuration, apps and processes, as well as user behavior, to Google Analytics and a similar Chinese firm called Sensor Data. 

It also sent "statistical data on the activity of certain applications" to servers across the globe run by the Chinese internet company Tencent.

Backdoor to malware

The Huawei P40 wasn't found to be censoring or spying, but did pose a pretty serious security risk because it regularly reached out to off-road app stores where malicious apps are known to lurk.

Huawei's default app store is Huawei's own AppGallery. But if the user searches for an app that's not in the AppGallery, then the phone will search third-party app stores, including but not limited to APKMonk, APKPure and Aptoide. 

The user will be warned that they're being redirected to off-road stores over which Huawei has no control, and must authorize the jump out of the AppGallery. Nonetheless, the Lithuanian researchers came across three malicious apps through this process while using the Huawei P40.

"Such applications can be downloaded and installed by the user on the mobile phone, thereby jeopardizing the security of the device and the data contained in it," the report said.

Update: Xiaomi statement

In response to a request for comment, Xiaomi provided Tom's Guide with this statement, in full.

"Xiaomi's devices do not censor communications to or from its users. Xiaomi has never and will never restrict or block any personal behaviours of our smartphone users, such as searching, calling, web browsing or the use of third-party communication software. Xiaomi fully respects and protects the legal rights of all users. Xiaomi complies with the European Union's General Data Protection Regulation (GDPR)."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

  • Bo Yu
    Xiaomi, Huawei phones engage in dodgy behavior, according to Lithuania's government??? any proof ? who wrote the article? according to Lithuania's government because ? this so called allegation has no proof at all. it is political tool use on cold war after Lithuania over Taiwan ties .
    Reply
  • ahsan.tariq351
    Whenever I read any article regarding Chinese phones two things come to my mind.
    Edward Snowden
    How you can't opt out of ads in Google.
    Reply
  • Shaviat
    Is oppo one of them?
    Reply
  • Acamir
    Ad what do google do everyday behind our back...."doggy behavior"
    Reply