Security News > 2022 > August > Xiaomi phones with MediaTek chips vulnerable to forged payments

Xiaomi phones with MediaTek chips vulnerable to forged payments
2022-08-12 10:00

Security analysts have found security issues in the payment system present on Xiaomi smartphones that rely on MediaTek chips providing the trusted execution environment that is responsible for signing transactions.

Considering how common mobile payments and Xiaomi phones are, especially in Asian markets, the money pool hackers could tap into is estimated to be in the billions of U.S. dollars.

Xiaomi phones that run on a MediaTek chip use the "Kinibi" TEE architecture, which creates a separate virtual enclave for storing security keys required for signing transactions.

Security researchers at Check Point have found a flaw in the trusted app format that Xiaomi uses, namely the lack of version control.

They bypassed Xiaomi and MediaTek security patches by overwriting the 'thhadmin' app on MIUI 12.5.6.0 with that from MIUI 10.4.1.0, opening up a host of exploitation possibilities.

If you can't afford to disable mobile payments altogether, try to minimize the number of installed apps on your device, keep your OS up to date, and use a mobile security suite that can detect and stop suspicious actions.


News URL

https://www.bleepingcomputer.com/news/security/xiaomi-phones-with-mediatek-chips-vulnerable-to-forged-payments/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Mediatek 61 0 41 27 22 90