Toss out your Xiaomi and Huawei phones, but keep your OnePlus devices, warns the Lithuanian government, following the publication of its report on the security of Chinese-made 5G smartphones.
“Our recommendation is not to buy new Chinese phones, and to get rid of those that have already been purchased as soon as reasonably possible,” Lithuanian Deputy Defense Minister Margiris Abukevicius told reporters at the unveiling of the National Cyber Security Center report, according to Reuters.
According to the report, Xiaomi appears to do the Chinese government’s bidding in ways that could endanger Western users, such as including a censorship module in its phones and secretly communicating with Chinese-run servers around the world. Meanwhile, Huawei’s sloppy app installation procedure can infect your phone with Android malware.
OnePlus’ phones were not found to be doing anything illegal by the study’s authors. The researchers were investigating reports that all three brands had engaged in potentially illegal behavior over the previous few years.
Although neither Xiaomi nor Huawei have carrier partnerships or direct distribution in the United States, their reasonably priced phones are available from major online retailers. In Europe, the brands are well-known and widely used.
What should you do if you own a Huawei or Xiaomi phone?
While using these devices, you should install and use some of the best Android antivirus apps, just like you would with any other Android phone. The built-in Google Play Protect on Xiaomi phones is inadequate, and we have no idea what kind of protection Huawei phones have.
You should also avoid using any app stores other than the Huawei phone’s built-in AppGallery. These third-party stores frequently have corrupted versions of well-known apps containing malware.
It’s a tougher call with Xiaomi. Even though the censorship module appears to be turned off in phones sold in Europe, the allegations made in the Lithuanian government report are quite suspicious.
Similarly, the secret Xiaomi communications could be explained as part of normal operations, but the researchers couldn’t tell because they couldn’t decrypt the encrypted messages. You must decide whether you want to continue using a Xiaomi phone.
Censorship in Xiaomi is dormant.
The Lithuanian researchers discovered that the Xiaomi Mi 10T routinely updated a file called “MiAdBlacklistConfig,” which contained a built-in list of nearly 450 taboo Chinese phrases such as “Free Tibet,” “Democratic Movement,” and “Long live Taiwan’s independence.”
All of these are phrases that the Chinese government does not want its people to see. The phone has built-in filters that are supposed to prevent users from viewing any media that contain those phrases.
The censorship filter was disabled for phones sold in the European Union, to which Lithuania belongs, but the researchers claim Xiaomi could easily turn it back on remotely.
According to the report, “the existence of such functionality may jeopardize free access to information and limit its accessibility.” “This is critical not only for Lithuania but for all countries that use Xiaomi devices.”
Secret communications
When a user signed up to use Xiaomi’s cloud functions, which include phone backups and lost-device location services, the Xiaomi phone secretly communicated with a Chinese-owned server in Singapore.
Communication with remote servers is normal during such procedures, but in this case, the Xiaomi phone sent an (encrypted) SMS message to the server without the user’s knowledge and immediately deleted the sent message from the phone’s text message log.
“Investigators were unable to read the contents of this encrypted message, so we can’t tell you what information the device sent,” one of the report’s co-authors told The Record.
When the Xiaomi Cloud service was turned off, the behavior stopped.
“Automated message sending and concealment via software pose potential threats to the security of the device and personal data,” the Lithuanian government warned in a report. “In this way, without the user’s knowledge, device data can be collected and transmitted to remote servers.”
The Xiaomi phone also sent what the researchers called “a relatively large amount of information” about phone configuration, apps, and processes, as well as user behavior, to Google Analytics and a similar Chinese firm called Sensor Data.
It also sent “statistical data on the activity of certain applications” to servers across the globe run by the Chinese internet company Tencent.
Backdoor to malware
The Huawei P40 was not found to be censoring or spying, but it did pose a significant security risk due to its frequent access to off-road app stores where malicious apps are known to lurk.
Huawei’s default app store is AppGallery. If a user searches for an app that isn’t in the AppGallery, the phone will look in third-party app stores such as APKMonk, APKPure, and Aptoide.
The user will be warned that they are being redirected to off-road stores over which Huawei has no control, and will be required to authorize the exit from the AppGallery. Nonetheless, the Lithuanian researchers discovered three malicious apps while using the Huawei P40 during this process.
“Such applications can be downloaded and installed on the mobile phone by the user, jeopardizing the security of the device and the data contained in it,” according to the report.
Update: Xiaomi statement
In response to a request for comment, Xiaomi provided Tom’s Guide with the following statement in its entirety.
