Cybersecurity experts from Check Point Research (CPR) recently discovered a severe security issue in Xiaomi phones’ payment system. Thus, many Xiaomi users risk losing their hard-earned money as hackers might utilize this security flaw to sign fake payments.
Slava Makkaveev, a Security Researcher at CPR, stated, “We discovered a set of vulnerabilities that could allow forging of payment packages or disabling the payment system directly, from an unprivileged Android application. We hacked into WeChat Pay and implemented a fully worked proof of concept.”
Furthermore, CPR claims that the issue is in Xiaomi’s Trusted Environment tool. Users use this tool to store and manage sensitive data like security keys, passwords, passcodes, etc. Additionally, the researchers found that cybercriminals can exploit this flaw to steal people’s money in two ways.
The first is that they can have users install malware on their Xiaomi phones. And second, they can tinker with the phone itself and steal people’s cash. With the first method, the malware would extract the security keys and send fake payment packets to steal the money from Xiaomi users. And with the second method, hackers would root the phone, reduce the security of the Trusted Environment, and then run a code to create a fake payment package without an application. However, in both of these ways, the endpoint would require MediaTek processors to run.
Xiaomi is working on a fix
Fortunately, Check Point researchers immediately notified Xiaomi of the security flaw, and the company is working on a fix. “We immediately disclosed our findings to Xiaomi, who worked swiftly to issue a fix,” said Makkaveev.
Additionally, CPR urged the public “to constantly make sure your phones are updated to the latest version provided by the manufacturer.” But, they also asked, “If even mobile payments are not secure, then what is?”
And it’s something to ponder since mobile payment systems’ use has been steadily rising. The reason is it’s a convenient payment method without anyone having to carry cash or a wallet. Besides, Fortune Business Insights predicted that the mobile payment market might hit $11.83 trillion in 2028. Hence, making these systems a crucial target for hackers, as seen from the recent increase in cases of attacks on payment systems, cryptocurrency wallets, and the like.