A vulnerability discovered in some Xiaomi phones may cause users to lose funds in their accounts. Cybersecurity experts from Check Point Research (CPR) have found a vulnerability in the mobile payment mechanism of devices that malicious people can use to make fraudulent payments and essentially steal people’s money .
Check Point Security Researcher Slava Makkaveev made the following statements on the subject:
“We discovered a number of vulnerabilities that could allow forgery of payment packages from an Android app or outright disabling of the payment system. We were able to hack WeChat Pay and realize a scenario that totally worked.”
Cyber Security Company Informs Xiaomi of the Vulnerability
The vulnerability was found in Xiaomi’s Trusted Environment, a tool that stores and manages sensitive information such as passwords and security keys, according to CPR’s report. There were two ways to steal people’s money using this vulnerability: by getting them to install malware or by hijacking and tampering with the device itself.
In the first case, the malware keys come into play and send fake payment packages to steal the money . In the second case, the attacker would have to hijack their smartphone , lower the security, and then run the code to create a fake payment package without the app. In both cases, these can be performed on Xiaomi’s phones with MediaTek processors.
After finding the vulnerability, Makkaveev quickly informed Xiaomi to fix the issue . “We quickly disclosed our findings to Xiaomi so they could issue a fix immediately.” said.