Xiaomi phones are fairly hard to come by in the United States, but elsewhere in the world, the inexpensive but well-made Chinese handsets are selling by the truckload, third only to Apple and Samsung.
With popularity comes risk, however, and that's exactly what Xiaomi users are facing right now. A recently discovered flaw in the Xiaomi version of Android could spell disaster for its users, unless they update their software right away.
This information comes from IBM's Security Intelligence blog, where the company gave credit to David Kaplan, one of its own researchers, for discovering the flaw. The vulnerability, while theoretically very bad, is not so different from many other smartphone vulnerabilities that have preceded it.
Like many phone manufacturers, Xiaomi users a modified version of Android called MIUI rather than Google’s stock installation. In mainland China, MIUI differs significantly from the Android found on most handsets and doesn't get its apps from the Google Play store. But in the rest of the world, MIUI is "Google compliant" and has Google-approved apps. Either way, MIUI could allow a cybercriminal to hijack a system.
MIUI periodically checks with Xiaomi servers to see if there's a new app or system update available. If so, it automatically downloads said update. Sounds simple, but Kaplan was able to devise a phony app that took advantage of the system.
As long as the app requested high-level permissions (which users often don't even check before installing), the app could then exploit the vulnerability and install whatever kind of harmful apps it wanted on the system. If a really clever cybercriminal had his or her way, downloading phony apps might not even be necessary; researchers at IBM found the vulnerability in native apps, including the Xiaomi web browser.
The good news is that Xiaomi and IBM collaborated to fix the issue quickly, and there's no evidence that malicious hackers ever exploited it in the wild. Xiaomi users can already download and install a MIUI firmware update that takes care of the issue.
For other Android users, the vulnerability should still serve as a warning: Google's "pure" Android is generally the safest kind of Android. If your phone manufacturer provides a modified OS (as most phone manufacturers do), keep the software up-to-date, and never install an app that requests privileges beyond what it's supposed to do.