Xiaomi, what are you doing?

The security researcher Thijs Broenink has reversed the app AnaliticsCore, that comes preinstalled on his Xiaomi Mi4, and found that this app checks for a new update from the company’s official server every 24 hours.

With these request to http://sdkconfig.ad.xiaomi.com/api/checkupdate/lastusefulversion, the app sends device identification information with it, like IMEI, Model, MAC address and other.

If there is an updated app available on the server with the filename “Analytics.apk” it will automatically get downloaded and installed in the background without user interaction and without any validation to check which APK will be installed to the device.

This means Xiaomi can remotely and silently install any application on your device just by renaming it to “Analytics.apk” and hosting it on own server:

It seems like there indeed is no validation on what APK is getting installed. So it looks like Xiaomi can replace any (signed?) package they want silently on your device within 24 hours. And I’m not sure when this AppInstaller gets called, but I wonder if it’s possible to place your own Analytics.apk inside the correct dir, and wait for it to get installed (edit: getExternalCacheDir() is inside the app’s sandbox, so probably not).

But this sounds like a vulnerability to me anyhow, since they have your IMEI and Device Model, they can install any apk for your device specifically.

For more technical informations and code analysis, check Thijs Broenink’s Website.