Miui rom has the "" vulnerability to obtain system permissions, text messages, passwords, and other important data.

Miui rom has the "" vulnerability to obtain system permissions, text messages, passwords, and other important data.

All miui rom versions on Xiaomi official website have system permission vulnerabilities. Any APK can exploit this vulnerability to obtain the same permissions and data as ROM vendors, attackers can steal system application data (such as text messages, address books, and photos), steal passwords of Xiaomi accounts (data backed up by Xiaomi wallet and cloud is compromised), perform Silent Installation, and even upgrade OTA systems, do whatever you want.

All miui rom versions released on Xiaomi official website use the Android open-source key signature system APK. The following shows the APK signature information obtained from miui rom. The signature fingerprint is consistent with the key included in the Android open source code. The accesskey is publicly available on the Android official website.

After a malicious APK uses a Public Key signature, it can obtain arbitrary system permissions in miui rom, execute malicious code, obtain system data, overwrite system applications, and perform Silent Installation, you can obtain the same permissions and data as the ROM vendor.

The following is an example application installed in MIUI7 6.1.9. This example application applies to all MIUI partner ROM versions released by Xiaomi official website so far. Currently, most of the latest miui rom versions are partner versions.

You do not need to confirm on your mobile phone when installing the tampered Xiaomi account application. After installation, you can easily steal your Xiaomi account password.

Solution:

Strengthen security awareness