A team of Check Point researchers has identified a number of vulnerabilities in the mobile payment mechanism of Xiaomisome security gaps that could have allowed false transactions to be carried out in some of the brand’s models.
In recent years, mobile payments have become very popular and have become a common form of payment throughout the worldwhich has generated great interest in cybercriminals, according to the Statista portal.
This modality has also been widely implemented among Spanish users since, according to the II Study of mobile payment trends in Spain, almost 40 percent of those surveyed say that they use their smartphone to pay for purchases.
For that reason, telephone companies work to develop security solutions that promote the protection of their users’ dataamong which is Xiaomi’s Trusted Environment.
A team of Check Point researchers has found a series of vulnerabilities in this system, which is responsible for storing and managing sensitive information, such as access credentials or security keys.
Specifically, these errors, which could have allowed false transactions to be carried out, have been found in devices equipped with MediaTek chips. Likewise, the cybersecurity service provider has pointed out that cybercriminals could have attacked their trusted code in two ways.
First, from an Android application without privileges. In this way, scammers install a malicious app on infected devices to extract the keys. Once it has access to them, it sends a fake payment package to steal the money.
On the contrary, if the cybercriminal gets their hands on the targeted devices, they gain privileged control over them, lower the trust environment, and then execute the malicious code to create a fake payment package without the need to install an app.
From CheckPoint they point out that trusted execution environments (TEE, for its acronym in English), where mobile payments are carried out, are an integral part of mobile devices, since they process and store confidential information.
Despite this relevance, the company ensures that no one is examining trusted applications written by the device vendors themselvesin this case, by Xiaomi, which embeds and signs its own trusted apps.
In this regard, researchers have discovered that there is a possibility that an attacker could transfer an old version of a trusted application to the device and use it to overwrite the file of the new application.
That would be precisely the method carried out by cybercriminals to circumvent security fixes carried out by the brand or by the developer of its processors, MediaTek, in its applications.
In addition, researchers have discovered gaps in the trusted application thhadmin, responsible for managing security on these devices, which could be exploited to leak stored keys or execute malicious code in the apps, followed by fraudulent actions.
COMMITTED INTEGRATED PAYMENT STRUCTURE
Tencent Soter is the payment structure embedded in Xiaomi devices, which provides an API for third-party Android apps to integrate their corresponding payment capabilities. Its main function is to verify payment transfers between mobile applications and remote backend servers.
According to the investigations carried out by this cybersecurity company, a vulnerability registered by Xiaomi as DVE-202014125 has been found, which compromises the platform and allows unauthorized users to sign fake payment packages.
In this line, Check point recalls that WeChat and Alipay are the two largest operators in the digital payment sector in China and that they represent 95 percent of the Chinese market with respect to these transactions.
Particularly, WeChat is based on the burial of Tencent. That way, if an app vendor wants to implement their own payment system without being tied to this app, they can use the mobile payment framework soter to verify transactions on their backend server.
For its part, Xiaomi has acknowledged the vulnerabilities and provided the relevant fixes to curb the chances of fraudsters to carry out their attacks.