Bluebox Labs, a research outfit that tests security on mobile devices, recently put out some information pertaining to a specific Xiaomi Mi 4 smartphone that they tested and found out that it was riddled with malware, was using a version of Android that was vulnerable to hacking, and basically failed at all the security tests they made. Xiaomi, in their defense, has been very prompt and open about verifying the information. In the end, they all agreed that the tested unit was a counterfeit.
Xiaomi proved that the Mi 4 in question was a fake, but it was a very good one at that. Bluebox Labs have since updated their post to point out the same conclusion, but they were amazed at the level of counterfeiting that happened on the said device. The ‘Mi 4’ they had was bought from a street retailer in China, and had all the visual cues of the said device. Xiaomi’s team of engineers had to pore over countless photos to make sure it was a fake.
Secondly, the device in question initially beat benchmarking software and Xiaomi’s own “AntiFake” app via a complicated process of APK (installer) replacement – the phone replaced the legit installer with one it had on local storage, presumably apps that have been tampered with to reflect fake information. Only when these fake installers were deleted and replaced with legit ones did the “AntiFake” app show that the device was a counterfeit.
Xiaomi said on the record that it was cracking down on the manufacturers of fake devices, but the industry is at such a scale in China that the only way to be sure is to buy from Xiaomi’s online shop and a few trusted partners, mobile operators, and authorized retailers, such as Flipkart in India. Even then Bluebox says that tampering may still happen during transit and that Xiaomi should look heavily into this. It is pushing for a stronger authentication tool, so that user data can be protected.