Update: Xiaomi issued the following statement, "As this device is not an original Xiaomi product, and not running an official Xiaomi MIUI software build, Bluebox’s findings are completely inaccurate and not representative of Xiaomi devices. We believe Bluebox jumped to a conclusion too quickly without a fully comprehensive investigation (for example, they did not initially follow our published hardware verification process correctly due to language barrier) and their attempts to contact Xiaomi were inadequate, considering the severity of their accusations."
While it's not hard for an unsophisticated user to contract malware on an Android phone, Chinese phone manufacturer Xiaomi may have made the entire process a little bit easier. The Xiaomi Mi4 LTE, a top-selling smartphone in China, reportedly comes with malware built-in and a shoddy, vulnerable version of Android on top of that.
Bluebox, a San Francisco-based mobile-security company, got its hands on a brand-new Mi4 LTE from China. After extensive testing to ensure that the device was the genuine article (counterfeit smartphones are common in China), the company published its unsettling findings: The Mi4 LTE appears to be unsafe to use from the moment you take it out of the box.
Using several Android antivirus scanners, Bluebox discovered that the phone contained at least six shady apps. Three in particular were pernicious enough to warrant special mention.
The first, Yt Service, enables a piece of adware known as DarthPusher, which fills the device with intrusive ads. Even more troubling is that Yt Service tricks the phone into thinking that it comes directly from Google, which would likely allay the average Android user's fears about the program.
Another piece of risky software, PhoneGuardService, is arguably worse, as it's actually classified a Trojan, malware disguised as a legitimate app that could allow malefactors to hijack the phone.
On the other hand, the last suspicious app, AppStats, is considered "riskware." It's not harmful in and of itself, but acts as a tempting target for purveyors of malware as a gateway into the rest of the phone.
When Bluebox ran its own Trustable app, which evaluates a phone's overall security, the Mi4 LTE was open to all seven Android vulnerabilities that Trustable checks for, except the well-known Heartbleed flaw, which was patched after Android 4.1.1. Jelly Bean.
The vulnerabilities may be there because the smartphone uses Xiaomi's own open-source MIUI build of Android, which has not been certified by Google. Although Google and Android are often synonymous in the West, Android is actually open-source Linux software, and anyone can take the stock Android image and build on it. Google is only one of many companies with an Android ecosystem to call its own. (Due to Google's issues with the Chinese government, the Google Play store and other Google apps are not common in Chinese phones made for the domestic market.)
The result is that the Mi4 LTE's Android build is an exploitable hodgepodge of two different versions of Android, KitKat and Jelly Bean, and is uniquely vulnerable to security flaws from each. On top of that, the device comes pre-rooted, as though it were a developer version, meaning that third-party software can run more or less unchecked. Infecting a rooted phone is somewhat easier than infecting a device with a certified Android build.
As the phone that Bluebox tested is the real deal, these flaws are most likely present on other brand-new Mi4 LTEs. Xiaomi has not responded to the company's queries, nor has it acknowledged the device's purported security flaws.
If you were planning to import an Mi4 LTE, you may want to reconsider. If you've already done so, your safest bet might be to root the device and install a Google-approved version of Android.