The Chinese smartphone manufacturer, Xiaomi, has been caught collecting personal information from millions of users and then simply storing them on servers located in China and Russia.
A security expert, Gabi Cirlig, has recently discovered that his Redmi Note 8 was spying on his internet activity. Data ranging from the history of visited sites, queries on search engines, to what folders or screens you opened on your phone were simply forwarded to remote servers in Russia and Singapore, but the domains they hosted were registered in Beijing. Evidently, these belong to Alibaba, of course, it’s like the Amazon of China, who leased this space to Xiaomi.
According to a Forbes report, the popular applications from the Chinese manufacturer like the Mi Browser Pro, Mint Browser, and the one included by default in the brand’s smartphones, simply stealing users’ web behavior, no matter if they are browsing through the incognito mode.
According to the security researcher, Gabi Cirlig, this could be happening in other smartphones as well, like Xiaomi Mi 10, Redmi K20, and Xiaomi Mi MIX 3, since the firmware of these smartphones also share the same browser source code as the Redmi Note 8.
Moreover, he recorded a video in which he simply explained that how a search for porn on Google and a visit to PornHub in incognito mode are collected and sent via mobile.
This information is packaged and protected with base64 encode that can be easily broken; as a result, it could expose user data. Moreover, these packages also send data like the unique device ID, and the version of Android installed on the device, something that, according to the security expert, could be easily exchanged with the owner of the smartphone.
This information is collected by the Sensors Analytics, and it’s a company that is engaged in behavioral analysis. Xiaomi uses the service of this firm, simply to better understand its users’ behavior. But, another cybersecurity researcher who is hired by Forbes, Andrew Tierney, has found that the information ends up in domains that reference the company and contain a programming API known as SensorDataAPI.
The data acquired is not limited to the Xiaomi browsers only, as the Music app, the sites visited in the news section, the behavior when sliding screens, and interaction with the status bar were also found.
Although this practice is not new, and one could argue that Google does the same with its applications in order to improve the “user experience.” But, in this case, the Chinese smartphone maker, Xiaomi, goes a step further by accessing the information in an incognito way, so that they can evade users.
In response, the Chinese company, Xiaomi, officially stated that the researchers’ claims are false and accepted that it has collected the navigation data only. Although Xiaomi said that they collected the navigation data anonymously, users had given their consent for such monitoring.
Moreover, Xiaomi also stated that they hadn’t collected any behavioral data of its users via incognito mode, against the video evidence provided by the security researcher, Gabi Cirlig. Here’s the official statement, “This video shows the collection of anonymous browsing data, which is one of the most common solutions adopted by internet companies to improve the overall browser product experience through analyzing non-personally identifiable information.”
But, apart from all these things, the security researcher, Gabi Cirlig have already cleared that, “when you’re listening, Xiaomi is listening, too.”
So, what do you think about this? Simply share all your views and thoughts in the comment section below. And if you liked this post, then simply do not forget to share this post with your friends, family, and on your social network profiles as well.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
Also Read:
New Mexico Filed Lawsuit Against Google for Spying & Collecting Personal Data From School Students
Russian Agents Reportedly Tapping on Undersea Internet cables that Take Entire Countries Offline
Two new vulnerabilities have been discovered in Next.js, related to response queue poisoning and SSRF…
British Columbia's government has confirmed a sophisticated attempt to infiltrate its information systems. Premier David…
Security researchers have uncovered a new technique called "TunnelVision" that exposes a fundamental flaw in…
A sophisticated malware campaign has been identified, specifically targeting Windows and Microsoft Office users through…
Hackers take advantage of sponsored Google Ads as they provide an excellent chance to reach…
F5 Big IP has been discovered with two critical vulnerabilities that could potentially allow a…