Audio player loading…

A flaw discovered in some Xiaomi phones (opens in new tab) could have cost users their hard-earned money. 

Cybersecurity experts from Check Point Research (CPR) found a flaw in the devices’ mobile payment mechanism, which threat actors could have used to sign fake payments, essentially stealing people’s money. 

“We discovered a set of vulnerabilities that could allow forging of payment packages or disabling the payment system directly, from an unprivileged Android application,” commented Slava Makkaveev, Security Researcher at Check Point.” We were able to hack into WeChat Pay and implemented a fully worked proof of concept.” 

According to CPR’s report, the flaw was found in Xiaomi’s Trusted Environment, a tool that stores and manages sensitive information, such as passwords, or security keys. There were two ways to go about stealing people’s cash: by having them install malware, or by stealing and tinkering with the device itself. 

Fixing the problems fast

In the first instance, the malware would extract the keys, and send fake payment packets to steal the money. In the second instance, the attacker would need to root the smartphone (opens in new tab), downgrade the trust environment, then run the code to create a fake payment package without an application.

In both cases, however, the endpoint would need to be running on MediaTek processors.

After finding the flaw, CPR notified Xiaomi, which seems to have worked fast to address the issue: “We immediately disclosed our findings to Xiaomi, who worked swiftly to issue a fix,” Makkaveev noted. 

“Our message to the public is to constantly make sure your phones are updated to the latest version provided by the manufacturer. If even mobile payments are not secure, then what is?”

Mobile payment systems seem to be the next big frontier. According to Fortune Business Insights, the market is expected to hit $11.83 trillion in 2028, with a compound annual growth rate of 29.1%. That also makes it a major target for cybercriminals, who’ve been increasingly targeting payment systems, cryptocurrency wallets, and similar.

Advantages of local domestic helper. Teaser within 48 hours of your wedding day.