Do you use a Xiaomi phone? You’d better update the software provided by the Chinese phone maker to fix a few vulnerabilities in the payment mechanism. A compromised device could extract the keys and send a fake payment packet to steal money.

Cybersecurity solutions firm Check Point Research (CPR) has said it has identified vulnerabilities in Xiaomi’s mobile payment mechanism. “Left unpatched, an attacker could steal private keys used to sign Wechat Pay control and payment packages,” it said.

It claimed that over one billion users could have been affected so far.

When contacted, a Xiaomi spokesperson admitted that there was a vulnerability.

Xiaomi response

“The cause of the vulnerability has been identified. The technical team is working closely with supply chain partners to eliminate the risk and the fixing process has been initiated,” the spokesperson told BusinessLine.

It, however, contended that the vulnerability has only been found in a limited number of models.

“It requires an extremely high-level of cracking technology. Therefore, it has not had a wide impact and has not caused any loss to users,” the spokesperson claimed.

Chinks in ‘Trusted Environment’

Experts at Check Point said the vulnerabilities were found in Xiaomi’s Trusted Environment, which is responsible for storing and managing sensitive information, such as keys and passwords.

The devices studied by Check Point Research were powered by MediaTek chips.

The hackers could steal sensitive information from the phone in two ways. When a user installs a malicious application and launches it, the app extracts the keys and sends a fake payment packet to steal money.

“If the attacker has the target device in his hands, he can root the device and downgrade the trust environment, before running a code to create a fake payment package without an application,” it said.

Check Point Research said it disclosed the information to the phone maker. “Xiaomi acknowledged and issued fixes,” it said.

“We discovered a set of vulnerabilities that could allow forging of payment packages or disabling the payment system directly, from an unprivileged Android application,” Slava Makkaveev, Security Researcher at Check Point, said.

“We were able to hack into WeChat Pay and implemented a fully worked proof of concept. Our study marks the first time Xiaomi’s trusted applications are being reviewed for security issues,” he said.

“Our message to the public is to constantly make sure your phones are updated to the latest version provided by the manufacturer,” he said.