BREAKING – Xiaomi smartphones adware & malicious apps running rampant; built into MIUI

BREAKING – Xiaomi smartphones adware & malicious apps running rampant; built into MIUI
Find me on:

Kok Kee

The enthusiastic nanoelectronic engineer who found his way into simplifying the world of tech for everyone. Introverted, but noisy. Nice to meet you!
Find me on:

Here’s the TL;DR version : Imported versions of Mi phones uses a modified version of MIUI firmware, and have been problematic for a few reasons. Firstly, it has adware built into the phone’s software itself. Two of the Mi smartphones, which I personally saw and tested, had this issue. One of them even had malicious codes (I presume) which automagically install apps on the phone itself, without the user even knowing.

How to avoid this problem – buy smartphones only from the main channel themselves, i.e. from Mi Malaysia.

How I fixed this problem – factory resetting the phone doesn’t solve anything. The entire process is too long, I can’t summarize. Read the entire story and process below.

Disclaimer

I am absolutely NOT accusing anything or anyone in particular, but I just want to point out that there is such an issue. I’ve encountered two of these issues first-hand, and I really wouldn’t want to see any of these issues again. It’s disgusting, a total invasion to anyone’s privacy, and even hurts the manufacturer’s reputation.

To Xiaomi – take note of this issue. MIUI is getting modified and installed into Xiaomi smartphones, and eventually shipped to Malaysia and sold to unknowing customers who expects the device that they buy are functioning without any of these random issues.

Also, I’m NOT the first to discover such issues, as The Hacker News posted this last year, with Xiaomi’s spokesperson claiming that they are only investigating on this matter, but the problem still persists. Even YouTuber AndroidAndyUK came across this issue with his Redmi Note 2 that he bought from AliExpress.

Story time

First case – Redmi Note 3 (MediaTek version) codenamed hennessy

A few months back, a friend of mine bought an imported Redmi Note 3 set a while ago. He furiously kept repeating that the phone is lagging, and eventually spilled the beans – there were random ads popping on his phone for no reason. Eventually, he even mentioned that there were random apps installed on his phone which he never even knew existed. He claimed that those apps were not there during his initial use. Then he said he wanted me to root the phone and give it a custom ROM.

I was skeptical. Listening to this I just said “okay, let me root it and give you a custom ROM”, because that device was really lagging beyond my imagination.

Firstly I downloaded the Developer ROM from MIUI’s official download page, and I followed their flashing guides to do so. At first I tried the easiest method to update the ROM, by using their System Update feature and point to the downloaded ROM instead. It gave errors, and I moved on to the next method – Recovery Update. Apparently with Xiaomi’s brand new policy means a locked recovery, rendering the entire second method unusable. This makes the Mi PC Suite method to be unusable too, if you’re wondering.

I had to resort to the most verbose method ever – the third one, Fastboot Update. The most tedious of all methods, requires multiple steps to just prepare for the flashing method, and once I got it to work, I flashed the Developer ROM on the Redmi Note 3. Since Xiaomi’s brand new policy needs like 10 days or so to get the permission to unlock the bootloader AFTER flashing the Developer ROM, I had no choice but to tell my friend to use the Developer ROM for the time being.

Days went by, and to my surprise, my friend didn’t complain anything about his Redmi Note 3 running a Developer ROM, other than Google services not working properly. Then one day I received an SMS telling me that my request to unlock the bootloader has been granted, and blah blah blah – I eventually flashed CM12.1 on it and everything went fine.

End of story 1, and I pretty much still don’t believe what happened.

Second story – Mi 5 codenamed gemini

Am4aT9kadGC89YAsY2A6hUqhK_AOATn-dSm9PdMQlM8J

This happened last afternoon. I got a distress call saying that the brand new (just got it last Saturday) Mi 5 that he bought had random app installations and random advertisements popping out of WhatsApp and other apps too. I then received a few screenshots that made my jaw drop.

This slideshow requires JavaScript.

The Sime Darby Property app was caught red-handed while our victim was chatting with me, whereas the Rise Of The Dragon ad was taken some time ago. I thought “welp, this is familiar!” I requested for some more screenshots, and I found something particularly interesting.

[otw_shortcode_divider margin_top_bottom=”30″ text_position=”otw-text-left”][/otw_shortcode_divider]

UPDATE: I got more screenshots from the victim, and it’s problematic to the max. Ads popping out on WhatsApp’s list of chats, and even while chatting!

This slideshow requires JavaScript.

[otw_shortcode_divider margin_top_bottom=”30″ text_position=”otw-text-left”][/otw_shortcode_divider]

Ar4o784tvcBhaxdUAoCI7WGbTIiweS_Hm1kXliYT2ied

As of the last time I checked (which was yesterday) on MIUI’s website , the Mi 5 actually released a total of 3 more incremental versions since MIUI 7.2.4.0.0 Stable, and is currently at version 7.2.8.0. Tapping on the “Check for updates” button showed a message saying that there are no updates available, which told me what to do next.

Capture

“Click on Download Full ROM and follow the first method in the Flashing Guide and you’ll have a perfectly fine phone”, I told my friend. And it turned out horribly wrong. Just like the first case with the Redmi Note 3, it didn’t work. Same goes to the second method. Again I had resorted to the last method – using Fastboot Update.

This time I had to follow a completely different guide, thanks to EarlRagnar who posted a very detailed guide on how to do it. After fumbling with all the drivers and getting everything prepped, the Mi 5 booted up.

UPDATE: That link doesn’t work now. Here’s a brand new link for everyone to follow. It might differ a little, but it should work. http://en.miui.com/thread-298885-1-1.html

Apparently by just flashing MIUI’s official firmware back into the smartphone, everything was set straight again and have no issues thereon. Everything worked perfectly, but again it’s just like a Chinese Android smartphone – there’s no Google services on the phone. That’s a small matter however, as there are a slew of guides on how to get Google services back on a Xiaomi smartphone in a jiff.

Indicators of “infected phone”

I discovered there are potentially three main hints if the phone is funky or not.

First and foremost, in these two cases, both phones are solely from China. They are imported units, directly from China. Coincidentally, both of these are from DirectD too. I’m not accusing them of selling such devices, and it’s just a coincidence.

Secondly, both of these devices, although are from China and presumable uses some Chinese firmware, actually is preset to work in English in its initial boot. For me, I though it’s perfectly fine at first, but I realized that after I flashed any of MIUI’s official Chinese ROM on both the devices, it automatically displays everything in Chinese by default.

Thirdly, the MIUI version of both the Xiaomi smartphones that I came across wasn’t up to date at all, but the Updater showed that it is indeed up to date. Cross-check with MIUI’s website here to make sure. In the second case that I encountered this first-hand, it was quite obvious there’s a major mismatch in MIUI versions.

What does it mean and what should I do?

If your phone is funky, please get it fixed. I’m not sure if Xiaomi Malaysia actually handles imported units of their smartphone, and I really hope whoever that sold you that smartphone will take total responsibility and fix your issue.

[otw_shortcode_divider margin_top_bottom=”30″ text_position=”otw-text-left”][/otw_shortcode_divider]

Deasha commented on this post saying that Mi Malaysia does not provide warranty for imported devices.

[otw_shortcode_divider margin_top_bottom=”30″ text_position=”otw-text-left”][/otw_shortcode_divider]

Of course I don’t expect every smartphone dealer to know how to use Fastboot and the tools to fix every single smartphone out there, I guess that’s where you have to take matters in your own hands. Tough luck, I know.

You could try uninstalling all the China apps on your smartphone – that’s a start, but the firmware version will be stuck of course, which I don’t recommend to leave the issue like this and mark it as “solved”.

Apparently not only Xiaomi smartphones

A year ago, my friend kept telling me that her relative’s Lenovo smartphone starting acting on its own and doing things without even touching it. Again, it’s the same thing – popping up ads and downloading apps without the user ever knowing. Lenovo’s A850 had the same issue too, but that’s pretty much all I can find as of now.

Comments

comments