It's not uncommon for security firms to raise their public profile by publishing analyses of device security and vulnerabilities. However, Bluebox Security really stuck its virtual foot in its mouth this time. After posting what appeared to be a damning exposé of malware shipping on Xiaomi's Mi4 last week, the company has had to post an addendum admitting that it was fooled by a fake and Xiaomi's phones aren't shipping with malware after all. Oops.
The original article published last week accused Xiaomi of loading a number of suspicious apps and services in its official ROM including Yt Service (adware), PhoneGuardService (trojan), and AppStats (adware/spyware). In addition, the device tested by Bluebox Security was rooted out of the box and had USB debugging turned on. Bluebox says the device (purchased from a retail location in China) passed Xiaomi's anti-fake app, which is used to spot counterfeit phones. That's all really bad, but Xiaomi responded shortly after the post was made public.
VP of international (and former Googler) Hugo Barra explained to Bluebox that Xiaomi does not ship any of those services on phones and its devices are never pre-rooted. In fact, it doesn't even sell devices through third-party retailers in China, only on the official website and via carriers. That should have been Bluebox's first clue something was wrong. So did Bluebox Security simply evaluate a counterfeit device? The company sent a dozen photos of the device to Xiaomi, which confirmed it was just a good fake with a modified MIUI ROM.
To its credit, Bluebox Security has updated its original post several times as researchers correspond with Xiaomi. Bluebox researchers should probably have known better than to buy a testing device from an unofficial sales channel, but Xiaomi isn't completely off the hook. Bluebox Security says it did try to disclose the results of its test to Xiaomi before going public, but it never received a response. Xiaomi is apparently looking into what happened there.
- Bluebox Security