Xiaomi mobile payment vulnerability could facilitate forged transactions

The Check Point Research team analysed the payment system built into Xiaomi smartphones powered by MediaTek chips, which are very popular in China.

The CPR researchers took a close look into a set of vulnerabilities within Xiaomi’s trusted applications which are responsible for managing device security and mobile payments being used by millions of users around the globe.

During the reviews, the CPR researchers discovered vulnerabilities that could allow forging of payment packages or disabling the payment system directly from an unprivileged Android application.

Mobile payments are very popular and is now a common form of payments around the world. It is used daily and comfortably, which has pushed doubts and uncertainties aside. According to the latest data from statistics portal Statistica, the Far East and China accounted for two-thirds of the world's mobile payments in 2021. This is about $4 billion in mobile wallet transactions, which researchers believe would get hackers' attention due to the "huge amount of money".

According to the CPR research team, the Asian market mainly represented by smartphones based on MediaTek chips, has still not yet been widely explored. No one is scrutinising trusted applications written by device vendors, such as Xiaomi, even though security management and the core of mobile payments are implemented there. Our study marks the first time Xiaomi's trusted applications are being reviewed for security issues.

The CPR researchers focused on the trusted apps of MediaTek-powered devices, and used the Xiaomi Redmi Note 9T 5G with MIUI Global 12.5.6.0 OS as the test device.

Since Xiaomi can embed and sign their own trusted applications, the researchers found that an attacker can transfer an old version of a trusted app to the device and use it to overwrite the new app file.

Therefore, an attacker can bypass security fixes made by Xiaomi or MediaTek in trusted apps by downgrading them to unpatched versions.

VIEW ALL

The CPR research team also discovered several vulnerabilities in the admin trusted app, which is responsible for security management that could be exploited to leak stored keys or to execute code in the context of the app and then, practically perform malicious forged actions.

Xiaomi devices also have an embedded mobile payment framework named Tencent Soter that provides an API for third-party Android applications to integrate the payment capabilities. Its main function is to provide the ability to verify payment packages transferred between a mobile application and a remote backend server, CPR researchers explain, which are essentially the security and safety we all count on when mobile payments are performed.

According to Tencent, hundreds of millions of Android devices support Tencent Soter. WeChat Pay and Alipay are the two largest players in the Chinese digital payment industry. Together, they account for about 95 per cent of the Chinese mobile payments market. Each of these platforms has over one billion users.

WeChat Pay is based on the Tencent Soter. CPR researchers explain that if an app vendor wants to implement his own payment system, including the backend that stores users' credit cards, bank accounts, etc, without being tied to the WeChat app, essentially, the app vendor can directly use the Tencent Soter to verify the authenticity of transactions on its backend server. In other words, this specifically ensures a payment packet was sent from the vendor's app installed on a specific device, and then approved by the user.

The vulnerability CPR researchers found, which Xiaomi assigned CVE-2020-14125, completely compromises the Tencent Soter platform, allowing an unauthorised user to sign fake payment packages.

Throughout the research, the CPR team observed ways to attack the platform built into Xiaomi smartphones and used by millions of users in China for mobile payments.

An unprivileged Android application could potentially exploit the CVE-2020-14125 vulnerability to execute code in the WeChat trusted app and forge payment packets.

Xiaomi patched the vulnerability in June 2022 after the disclosure and collaboration with the CPR team.

In addition, the CPR researchers also demonstrated how the downgrade vulnerability in Xiaomi's TEE can enable the old version of the WeChat app to steal private keys. This presented read vulnerability has also been patched and fixed by Xiaomi after disclosure and collaboration.

Finally the downgrade issue, which has been confirmed by Xiaomi to belong to a third-party vendor, is being fixed shortly.

CPR researchers recommend mobile users to always update their phone's OS to the latest version and has advised that Check Point customers remain fully protected against such threats while using Harmony Mobile Security.

[Related: UK’s South Staffs Water hit by cyber attack]