Vulnerabilities in Xiaomi’s mobile payment could lead to an attacker stealing private keys used to sign Chinese social media Wechat Pay control and payment packages.

The flaws were found by Check Point Research (CPR) in Xiaomi’s trusted execution environment (TEE), the system element responsible for storing and managing sensitive information such as passwords and keys.

Slava Makkaveev, security researcher at Check Point, said: “We discovered a set of vulnerabilities that could allow forging of payment packages or disabling the payment system directly, from an unprivileged Android application.”

The Xiaomi devices studies by CPR were powered by MediaTek chips and were found to be open to two different types of attacks targeting the previously mentioned vulnerability.

The first kind of attack comes from an unprivileged malicious Android app, installed and launched by a user. In this instance, the app would be able to take the keys and send a fake payment packet to steal the money.

The second attack method involved the physical possession of the device by the attacker. If the physical device was obtained, they could root the device, downgrade the trust environment, and then run the code to create a fake payment package without an application.

Makkaveev continued: “We were able to hack into WeChat Pay and implemented a fully worked proof of concept. Our study marks the first time Xiaomi’s trusted applications are being reviewed for security issues.”

Xiaomi promptly patched the vulnerabilities once they were disclosed by CPR.

“Our message to the public is to constantly make sure your phones are updated to the latest version provided by the manufacturer. If even mobile payments are not secure, then what is?”


The post Vulnerabilities Found in Xiaomi’s Mobile Payment Software appeared first on IT Security Guru.


You May Also Like

US Man Sentenced to Nine Years in Prison After Hacking Thousands of iCloud Accounts

A man from California was sentenced to time in prison on Wednesday…

Campaign Launched to Stop People From Becoming Money Mules

Interpol has launched a new awareness campaign that aims to urge individuals…

Virsec Appoint Greg Kelton as Senior Regional Director for EMEA

Following on from their recent announcement of their Deterministic Protection Platform (DPP),…

State-Backed Hackers Exploit Microsoft “Follina” Bug to Target U.S. and European Entities

A suspected state-aligned threat actor has been linked to a fresh set…