If you own a Xiaomi smartphone read this article very carefully, as your device may be prone to hacking via RCE (remote code execution). The issue is present in Xiaomi devices featuring the company’s proprietary MIUI, Xiaomi’s in-house made user interface, which is based on Android 6.0. The problem exists in the versions prior to MIUI Global Stable 7.2, hence you should check if your Xiaomi smartphone received the latest firmware update, i.e. you should have the version 7.2. If not, it’s strongly recommended to update manually.
The flaw in the MIUI was revealed by internet security expert David Kaplan, who works for IBM X-Force. The vulnerability may allow hackers to install various types of malware on your smartphone by remote in places with privileged network-access, for example if you’re surfing the internet using a public Wi-Fi network in an airport or a cafe. The issue is very serious i.e. your smartphone may be totally compromised, as it allows man in the middle type of attacks to execute all sorts of arbitrary codes on your droid, including malicious ROM updates.
The researchers from IBM X-Force discovered at least 4 default apps in the older MIUI distributions which are potentially vulnerable, one of them being the default Xiaomi browser application. Using the respective flaw, a hacker can inject a JSON response that will force an update on your droid and it will replace the link and MD5 hash with Android malware.
Xiaomi is world’s 3rd largest smartphone manufacturer and it shipped over 70 million units last year, each of them featuring Xiaomi’s custom ROM/MIUI, hence the problem is very serious. The same ROM made by developer Xiaomi is ported to more than 340 Android running devices, including Samsung, HTC and Nexus.However, the vulnerability is now fully patched, under the condition you update your smartphone’s firmware version as soon as possible.