Cybersecurity analysts have discovered a security flaw in the payment system on Xiaomi mobile phones that depend on MediaTek chips. These chips provide a trusted execution environment for signing and completing payment transactions.
Malicious threat actors could abuse the security vulnerabilities to sign fake payment packages using a third-party unprivileged app. This detail implies that such an attack would be able to render the payment service unavailable or to sign transactions from the target’s mobile wallet to the attacker’s account.
Since Xiaomi phones are ubiquitous devices for mobile payments in Asia, experts expect that the operators of this threat will likely generate a substantial amount of income.
The trusted environment of Xiaomi might cause severe damage to users if the issue is not addressed correctly.
Xiaomi smartphones that operate on a MediaTek chip utilise the Kinibi trusted execution environment architecture. This environment develops a separate virtuated landscape for keeping security keys needed for signing transactions.
This landscape is specially crafted for executing trusted applications like Xiaomi’s “thhadmin”, responsible for security management. In addition to security management, the Tencent Soter is also attached to the mobile payment framework that gives an API for third-party apps to add payment capabilities.
Payment apps like Alipay and WeChat pay have billions of users; hence, the bot app relies on Tencent Soter API to verify payment packages securely and allow financial transactions.
The experts said it is crucial to employ the June Android 2022 security updates, which fixes the CVE-2020-14125 critical vulnerability. However, this is only optional for those non-MediaTek-based Xiaomi smartphone users.
The Tencent Soter leak vulnerability is a third-party conflict. Therefore, Xiaomi’s next move could only be initiated if the vendor addresses the problem. Experts believe that a patch for this vulnerability will be available soon.
Suppose a user cannot afford to deactivate the mobile payment applications; experts advise that they should limit the number of installed apps on their devices. Also, users should keep their operating systems updated and use a mobile security suite that can spot and obstruct unwanted activities.
