Xiaomi Mi4 Smartphone May Have Malware Preinstalled

While it's not hard for an unsophisticated user to contract malware on an Android phone, Chinese phone manufacturer Xiaomi may have made the entire process a little bit easier. The Xiaomi Mi4 LTE, a top-selling smartphone in China, reportedly comes with malware built-in and a shoddy, vulnerable version of Android on top of that.

Bluebox, a San Francisco-based mobile-security company, got its hands on a brand-new Mi4 LTE from China. After extensive testing to ensure that the device was the genuine article (counterfeit smartphones are common in China), the company published its unsettling findings: The Mi4 LTE appears to be unsafe to use from the moment you take it out of the box.

MORE: Best Antivirus Software and Apps

Using several Android antivirus scanners, Bluebox discovered that the phone contained at least six shady apps. Three in particular were pernicious enough to warrant special mention.

The first, Yt Service, enables a piece of adware known as DarthPusher, which fills the device with intrusive ads. Even more troubling is that Yt Service tricks the phone into thinking that it comes directly from Google, which would likely allay the average Android user's fears about the program.

Another piece of risky software, PhoneGuardService, is arguably worse, as it's actually classified a Trojan, malware disguised as a legitimate app that could allow malefactors to hijack the phone.

On the other hand, the last suspicious app, AppStats, is considered "riskware." It's not harmful in and of itself, but acts as a tempting target for purveyors of malware as a gateway into the rest of the phone.

When Bluebox ran its own Trustable app, which evaluates a phone's overall security, the Mi4 LTE was open to all seven Android vulnerabilities that Trustable checks for, except the well-known Heartbleed flaw, which was patched after Android 4.1.1. Jelly Bean.

The vulnerabilities may be there because the smartphone uses Xiaomi's own open-source MIUI build of Android, which has not been certified by Google. Although Google and Android are often synonymous in the West, Android is actually open-source Linux software, and anyone can take the stock Android image and build on it. Google is only one of many companies with an Android ecosystem to call its own. (Due to Google's  issues with the Chinese government, the Google Play store and other Google apps are not common in Chinese phones made for the domestic market.)

The result is that the Mi4 LTE's Android build is an exploitable hodgepodge of two different versions of Android, KitKat and Jelly Bean, and is uniquely vulnerable to security flaws from each. On top of that, the device comes pre-rooted, as though it were a developer version, meaning that third-party software can run more or less unchecked. Infecting a rooted phone is somewhat easier than infecting a device with a certified Android build.

As the phone that Bluebox tested is the real deal, these flaws are most likely present on other brand-new Mi4 LTEs. Xiaomi has not responded to the company's queries, nor has it acknowledged the device's purported security flaws.

If you were planning to import an Mi4 LTE, you may want to reconsider. If you've already done so, your safest bet might be to root the device and install a Google-approved version of Android.

Marshall Honorof is a senior writer for Tom's Guide. Contact him at mhonorof@tomsguide.com. Follow him @marshallhonorof. Follow us @tomsguide, on Facebook and on Google+.

Marshall Honorof

Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi. 

  • Lee Sze Yong
    Phone tested was rooted. Testing company should know that most android phones are not rooted out of the box.
  • Bartek Feltman
    Do Bluebox even bother to check if they got original MI4 not fake one?
    Because original phone doesnt have mentioned apps installed in system.
    Yt Service? Can they even tell us which APK package is responsible for that service?
    Afaik ads and malware are present in fake xiaomi devices...
  • Kiswum
    How can they import a Xiaomi phone from China, when Xiaomi doesn't sell the Mi4 outside the Chinese borders?
    I think that they bought the phone from a webshop including an unofficial international ROM.
    I don't even think that the original rom is rooted. You need to perform a few steps to root it or you need to download the xiaomi.eu rom. This was is indeed rooted and contains the weekly build.

    I just read the original article.
    Thanks guys for not editing your message and spread this strange news into the world. Thank you for trying to bring Xiaomi down without all the facts...

    Bluebox DID NOT purchased the phone at Xiaomi, but at a reseller.
    The reseller could changed the rom with spyware.

    The conclusion of Bluebox and your post should be the same:

    This obviously means buying Xiaomi devices from a retail location is not recommended and only purchasing devices directly from mi.com will result in the supply chain integrity of the devices enterprises require.
  • Ixel
    An interesting article, potentially with misleading information as well as potentially putting off users from buying Xiaomi devices in the near future. Lack of sufficient evidence makes me wonder if there's much truth to it and whether there might be another motive. If this is true then I strongly suspect the reseller/retailer is at fault, not Mi themselves. I've used various Mi devices and to date not had a single bit of malware detected when I used the original firmware - though I've since moved to the original Android ROM as I prefer it in comparison to the MIUI ROM..
  • Jeremy Fr
    I don't understand the title : why using "may" when the fact have been proven?
  • Kiswum
    The article should now be: "Researchers, purchased a very good fake Xiaomi Mi4 at an unofficial store".

    Perhaps Tomsguide updates this article with the latest version of this story.