Vulnerabilities found in Xiaomi phones could allow authorized mobile payment fraud on Chinese-branded devices, affecting at least 1 billion users. They were detected by researchers at Check Point Research (CPR), according to a statement released on Monday (15).
According to the company specializing in cybersecurity, the flaws were present in smartphones manufactured by the Chinese giant. equipped with MediaTek processors. The errors affected the devices’ Trusted Execution Environment (TEE), responsible for processing and storing sensitive information such as cryptographic keys and fingerprints.
By exploiting such loopholes using a malicious app, cybercriminals would have the chance to steal keys, passwords and other financial data saved on the TEE to create fake payment packages on platforms such as WeChat Pay, very popular in China. From there, it would be possible to make fraudulent transfers to any account.
The flaws were detected in specific models manufactured by Xiaomi.Source: Unsplash
Another possibility mentioned by experts is the downgrade attack, with cyber criminals replacing newer, more security-enhanced apps with older, unprotected versions, ignoring the fixes made by Xiaomi and Mediatek, reversing the trust environment. Exploiting the vulnerabilities, they would be able to generate the fake packages.
According to CPR, one of the loopholes found completely compromises the Tencent Soter mobile payment framework, used on Xiaomi mobiles to verify payment package transfers and on which WeChat Pay is based. The WeChat digital wallet and the Alipayof AliExpressare China’s largest digital payment operators.
Alerted about the vulnerabilities in the cell phones manufactured by it, Xiaomi released a patch to solve the errors detected by the experts. The compilation was made available by the manufacturer in June for the affected models, noting that some of them are sold in Brazil.
There are no reports that these security flaws in Chinese branded phones have been exploited by cybercriminals, at least so far. However, it is essential to keep devices up to date with the latest packages to ensure greater protection from cyber attacks, fraud and scams.