Xiaomi Phones--Trojan

Xiaomi Phones Secretly Sending Users' Sensitive Data to Chinese Servers

Chinese telecoms equipment suppliers have previously been criticized by some countries due to suspected backdoors in its products, and if United States has banned its several major government departments, including NASA, Justice and Commerce Departments, from purchasing Chinese products and computer technology, then they are not wrong at all.

Recently, a German security firm claimed that a popular Chinese Android Smartphone, the Star N9500, came pre-installed with a Trojan that could allow manufacturer to spy onto their users’ comprising their personal data and conversations without any restrictions and users knowledge.

Now, the latest claim against Chinese smartphone manufacturers is the allegation that the popular Chinese smartphone brand, Xiaomi has been suspected of “secretly” stealing users’ information — including SMS messages and photos —from the device without the user's permissions and sending it back to a server in Beijing, despite of turning off the data backup functions, according to Apple Insider.

China-based smartphone company Xiaomi recently marked a successful entry into the Indian market this month. Earlier this year, the company also announced its Redmi Note, which, just like Xiaomi’s other handsets, was an affordable with almost all features that an excellent smartphone provides. However, the handset might be doing more than what it has been advertised.

Kenny Li of Hong Kong forum, IMA Mobile, recently noticed something odd with its Redmi Note smartphone. He discovered that the device continued to make connections with IP addresses in Beijing, China. The device kept trying to make the connection, even after switching off the company's iCloud-like MiCloud service.

Although it was pointed out that the transmissions occur only over Wi-Fi, though the device does stay in contact with the servers via small "handshakes" while using cellular data. Li then tried erasing the version of Android and installed a new version of Android, But the problem still persisted.

Security Researchers from F-Secure Antivirus firm also confirmed that Xiaomi phones (RedMi 1S handset) send quite a lot of personal and sensitive data to "api.account.xiaomi.com"  server located in China, including following information:

• IMEI Number of your phone
• IMSI Number (through MI Cloud)
• Your contacts and their details
• Text Messages

Previously China has accused companies like Google, Facebook, Microsoft, and Apple for spying on countries. So, what China is doing? The same.

Xiaomi, which is also known as Apple of China, has yet to respond to the allegations that the Redmi Note secretly sends user data to a China-based server.

If the allegations on the Xiaomi handset come true, it wouldn't be the first time a Chinese smartphone was found spying on its users. It had happened before as well, China has been known for its Digital Spying and privacy invasion.

Later in mid-June, the breach on the Star N9500 could allow an attacker to record phone callsautomatically, read emails and text messages, and remotely control the phone’s microphone and camera, in order to turn users’ smartphone into a bugging device that allows hackers to hear anything you are saying near by the phone. It could also be used for theft, including granting access to the user’s online banking service.

UPDATE
In a blogpost, Hugo Barra from Xiaomi company denies all the spying allegations made by F-Secure and other security experts.

"MIUI does not secretly upload photos and text messages. MIUI requests public data from Xiaomi servers from time to time. These include data such as preset greeting messages (thousands of jokes, holiday greetings and poems) in the Messaging app and MIUI OTA update notifications, i.e. all non-personal data that does not infringe on user privacy." he said.

Xiaomi's Mi Cloud service only able to backup and manage users' personal information in the cloud, as well as sync to other devices. But you can also turn it off manually from the device settings.

source : http://thehackernews.com/2014/08/xiaomi-phones-secretly-sending-users.html?m=1