Cyber Security

Xiaomi Spying Millions Of People’s ‘Private’ Web search & Sent It To Private Servers in Russia & Singapore

The Chinese smartphone manufacturer, Xiaomi, has been caught collecting personal information from millions of users and then simply storing them on servers located in China and Russia. 

A security expert, Gabi Cirlig, has recently discovered that his Redmi Note 8 was spying on his internet activity. Data ranging from the history of visited sites, queries on search engines, to what folders or screens you opened on your phone were simply forwarded to remote servers in Russia and Singapore, but the domains they hosted were registered in Beijing. Evidently, these belong to Alibaba, of course, it’s like the Amazon of China, who leased this space to Xiaomi.

According to a Forbes report, the popular applications from the Chinese manufacturer like the Mi Browser Pro, Mint Browser, and the one included by default in the brand’s smartphones, simply stealing users’ web behavior, no matter if they are browsing through the incognito mode.

According to the security researcher, Gabi Cirlig, this could be happening in other smartphones as well, like Xiaomi Mi 10, Redmi K20, and Xiaomi Mi MIX 3, since the firmware of these smartphones also share the same browser source code as the Redmi Note 8. 

Moreover, he recorded a video in which he simply explained that how a search for porn on Google and a visit to PornHub in incognito mode are collected and sent via mobile.

Behavioral Analytics

This information is packaged and protected with base64 encode that can be easily broken; as a result, it could expose user data. Moreover, these packages also send data like the unique device ID, and the version of Android installed on the device, something that, according to the security expert, could be easily exchanged with the owner of the smartphone.

This information is collected by the Sensors Analytics, and it’s a company that is engaged in behavioral analysis. Xiaomi uses the service of this firm, simply to better understand its users’ behavior. But, another cybersecurity researcher who is hired by Forbes, Andrew Tierney, has found that the information ends up in domains that reference the company and contain a programming API known as SensorDataAPI.

The data acquired is not limited to the Xiaomi browsers only, as the Music app, the sites visited in the news section, the behavior when sliding screens, and interaction with the status bar were also found.

Although this practice is not new, and one could argue that Google does the same with its applications in order to improve the “user experience.” But, in this case, the Chinese smartphone maker, Xiaomi, goes a step further by accessing the information in an incognito way, so that they can evade users.

Xiaomi’s Response

In response, the Chinese company, Xiaomi, officially stated that the researchers’ claims are false and accepted that it has collected the navigation data only. Although Xiaomi said that they collected the navigation data anonymously, users had given their consent for such monitoring. 

Moreover, Xiaomi also stated that they hadn’t collected any behavioral data of its users via incognito mode, against the video evidence provided by the security researcher, Gabi Cirlig. Here’s the official statement, “This video shows the collection of anonymous browsing data, which is one of the most common solutions adopted by internet companies to improve the overall browser product experience through analyzing non-personally identifiable information.”

But, apart from all these things, the security researcher, Gabi Cirlig have already cleared that, “when you’re listening, Xiaomi is listening, too.”

So, what do you think about this? Simply share all your views and thoughts in the comment section below. And if you liked this post, then simply do not forget to share this post with your friends, family, and on your social network profiles as well.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read:

New Mexico Filed Lawsuit Against Google for Spying & Collecting Personal Data From School Students

Two School Children Filed Lawsuit Against Google For Allegedly Collecting Students’ Personal & Sensitive Data

Russian Agents Reportedly Tapping on Undersea Internet cables that Take Entire Countries Offline

Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Okta Hack: Threat Actors Downloaded all customer support system users’ Data

In a pivotal update to the Okta security incident divulged in October 2023, Okta Security…

44 seconds ago

Defend Ransomware Attacks With Top Effective Proactive Measures in 2024

We're currently living in an age where digital threats loom large. Among these, ransomware has…

1 hour ago

GoTitan Botnet Actively Exploiting Apache ActiveMQ Vulnerability

Attackers are exploiting the recently discovered critical security vulnerability tracked as (CVE-2023-46604) affecting Apache ActiveMQ…

18 hours ago

Cybercriminals are Showing Hesitation to Utilize AI When Executing Cyber Attacks

Media reports highlight the sale of LLMs like WormGPT and FraudGPT on underground forums. Fears…

18 hours ago

Vigil: Open-source Security Scanner for LLM Models Like ChatGPT

An open-source security scanner, developed by Git Hub user Adam Swanda, was released to explore…

19 hours ago

Slovenia’s Biggest Power Provider has Suffered a Cyberattack

One of Slovenia's major power providers, HSE, has recently fallen victim to a significant cyberattack.…

19 hours ago