A flaw discovered in some Xiaomi phones (opens in a new tab) could have cost users their hard-earned money.
Cybersecurity experts at Check Point Research (CPR) discovered a flaw in the devices' mobile payment mechanism, which threat actors could have used to sign fake payments, essentially stealing people's money.
"We discovered a set of vulnerabilities that could allow payment packages to be manipulated or the payment system disabled directly from an unprivileged Android application," said Slava Makkaveev, security researcher at Check Point. We were able to hack WeChat Pay and implement a fully functional proof of concept.
According to the CPR report, the flaw was discovered in Xiaomi's trusted environment, a tool that stores and manages sensitive information such as passwords or security keys. There were two ways to steal people's money: by having them install malware, or by stealing and modifying the device itself.
Solve problems quickly
First, the malware extracts the keys and sends fake payment packets to steal the money. In the second case, the attacker would have to root the smartphone (opens in a new tab), downgrade the trusted environment, and then run the code to create a fake payment package without an app.
However, in both cases, the endpoint must be running on MediaTek processors.
After finding the flaw, CPR notified Xiaomi, which appears to have worked quickly to fix the issue: "We immediately disclosed our findings to Xiaomi, who worked quickly to publish a fix," Makkaveev noted.
"Our message to the public is to always make sure your phones are updated to the latest version provided by the manufacturer. If even mobile payments aren't secure, then what is?"
Mobile payment systems seem to be the next big frontier. According to Fortune Business Insights, the market is expected to reach $11,83 trillion by 2028, with a compound annual growth rate of 29,1%. This also makes it a major target for cybercriminals, who are increasingly targeting payment systems, cryptocurrency wallets, and more.