Xiaomi’s mobile payment mechanism has a series of security gaps that might have led users to make false transactions. This has been revealed by Check Point researchers who have warned of this gap that can lead to serious security problems if it is not solved.
mobile payments have experienced remarkable growth in recent years. In our country, almost 40% of Spaniards use their mobile to pay for purchases, as can be seen from the II Mobile payment trend study in Spain from Pecunpay.
This trend is leading more and more cybercriminals to set their sights on these mobile payment systems to carry out their threats. On this occasion, a group of researchers from Check Point Research (CPR) has identified vulnerabilities in Xiaomi mobile payment system.
Specifically, the problem lies in the company’s Trusted Environment, which is the mechanism responsible for storing and managing sensitive information such as keys and passwords.
A common aspect of all the devices in which this vulnerability has been detected is that they had MediaTek chips. A vulnerability that, if not exploited, might be exploited by cybercriminals to steal keys or make false payments.
This is how they exploit the vulnerability of the Xiaomi system
CPR researchers point out two ways to attack this payment mechanism. On the one hand, from an Android application without privileges, in which cybercriminals install a malicious application on infected devices to extract the keys. When they gain access, they send a fake payment package to steal money.
The other method is done when the cybercriminals get their hands on the target devices and root them to gain superuser permissions. In this way, it lowers the trusted environment and executes the code to create fake payment package without the need for an application.
This trusted execution environment (TEE) is key in mobile devices to store sensitive information such as cryptographic keys or fingerprints. Taking into account that the signatures of mobile payments are made in the TEE, the security of payments is a fact.
In the case of Xiaomi, the devices have a framework integrated mobile payment platform called Tencent Soter, which provides an API for third-party Android applications to integrate payment capabilities.
In this way, the transfers of payment packets between a mobile application and a server are verified. backend remote. The detected vulnerability compromises the Tencent platform allowing an unauthorized user to sign fake payment packages.
How to protect yourself from this vulnerability
The risks of this gap are greater if one takes into account that WeChat Pay y Be happy, which make use of Tencent, are the two main operators in the mobile payment sector in China. Together they account for regarding 95% of the Chinese mobile payment market and more than 2 billion users.
From Xiaomi they have recognized this vulnerability and have collaborated with the CPR researchers who, as Slava Makkaveev, a security researcher at Check Point Software, explains, rushed to solve the gap.
That is why he points out that it is important that users “constantly ensure that their phones are updated with the latest version provided by the manufacturer.”
