CPR found vulnerabilities that could allow forging of payment and disabling the payment system directly, from an unprivileged Android application
Mobile payments became very popular and a common form of payments around the world. We all use it daily and comfortably, pushing doubts and uncertainties aside.
But have you ever really wondered if this daily practice many of us are used to doing is really safe? Could someone steal money from your digital, daily used, wallet without your knowledge?
According to the latest statistics from statistics portal, Statistica, the Far East and China accounted for two-thirds of the world’s mobile payments in 2021. This is about $4 billion in mobile wallet transactions. Such a huge amount of money certainly attracts the attention of hackers. In this report, CPR (Mobile) researchers analysed the payment system built into Xiaomi smartphones powered by MediaTek chips, which are very popular in China. During these reviews, we discovered vulnerabilities that could allow forging of payment packages or disabling the payment system directly, from an unprivileged Android application.
If the TEE is safe, so are your payments
Trusted execution environment (TEE) has been an integral part of mobile devices for many years. Its main purpose is to process and store sensitive security information such as cryptographic keys and fingerprints.
Since mobile payment signatures are carried out in the TEE, we assume that if the TEE is safe, so are your payments.
The Asian market, mainly represented by smartphones based on MediaTek chips, has still not yet been widely explored. No one is scrutinizing trusted applications written by device vendors, such as Xiaomi, even though security management and the core of mobile payments are implemented there. Our study marks the first time Xiaomi’s trusted applications are being reviewed for security issues.
In our research, we focus on the trusted apps of MediaTek-powered devices. The test device used is the Xiaomi Redmi Note 9T 5G with MIUI Global 12.5.6.0 OS.
Main findings
Xiaomi can embed and sign their own trusted applications. We found that attacker can transfer an old version of a trusted app to the device and use it to overwrite the new app file. Therefore, an attacker can bypass security fixes made by Xiaomi or MediaTek in trusted apps by downgrading them to unpatched versions.
We discovered several vulnerabilities in the thhadmin trusted app, which is responsible for security management that could be exploited to leak stored keys or to execute code in the context of the app and then, practically perform malicious forged actions.
Embedded mobile payment framework compromised
Xiaomi devices have an embedded mobile payment framework named Tencent Soter that provides an API for third-party Android applications to integrate the payment capabilities. Its main function is to provide the ability to verify payment packages transferred between a mobile application and a remote back-end server which are essentially the security and safety we all count on when we perform mobile payments.
According to Tencent, hundreds of millions of Android devices support Tencent soter.
WeChat Pay and Alipay are the two largest players in the Chinese digital payment industry. Together, they account for about 95% of the Chinese mobile payments market. Each of these platforms has over 1 billion users. WeChat Pay is based on the Tencent soter. If an app vendor wants to implement his own payment system, including the backend that stores users’ credit cards, bank accounts, etc., without being tied to the WeChat app, he can directly use the Tencent soter to verify the authenticity of transactions on its backend server or in other words, specifically, make sure that a payment packet was sent from his app installed on a specific device, and approved by the user.
The vulnerability we found, which Xiaomi assigned CVE-2020-14125, completely compromises the Tencent soter platform, allowing an unauthorized user to sign fake payment packages.
Slava Makkaveev, Security Researcher at Check Point Software said,“We discovered a set of vulnerabilities that could allow forging of payment packages or disabling the payment system directly, from an unprivileged Android application. We were able to hack into WeChat Pay and implemented a fully worked proof of concept. Our study marks the first time Xiaomi’s trusted applications are being reviewed for security issues. We immediately disclosed our findings to Xiaomi, who worked swiftly to issue a fix. Our message to the public is to constantly make sure your phones are updated to the latest version provided by the manufacturer. If even mobile payments are not secure, then what is?”
Conclusion
Our report provides a close look into a set of vulnerabilities within Xiaomi’s trusted applications which are responsible for managing device security and mobile payments, being used by millions of users around the globe.
Throughout this research we observed ways to attack the platform built into Xiaomi smartphones and used by millions of users in China for mobile payments.
An unprivileged Android application could exploit the CVE-2020-14125 vulnerability to execute code in the wechat trusted app and forge payment packets.
After our disclosure and collaboration, this vulnerability has been patched by Xiaomi in June 2022.
In addition, we showed how the downgrade vulnerability in Xiaomi’s TEE can enable the old version of the wechat app to steal private keys. This presented read vulnerability has also been patched and fixed by Xiaomi after disclosure and collaboration.
The downgrade issue, which has been confirmed by Xiaomi to belong to a third-party vendor, is being fixed shortly.
Check Point’s customers remain fully protected against such threats while using Harmony Mobile Security.
We recommend mobile users to always update their phone’s OS to the latest version.
The full detailed report is available on the Check Point Research blog