cxo voice
  • Home
  • Technology
    • AI
    • Cloud
    • Telecom
    • Data Center
    • BPM
    • Blockchain
  • Finance
    • Banking
  • Cyber Security
  • View Points
  • Leaders Talk
  • News
  • Press Release
    • Submit Press Release
No Result
View All Result
  • Home
  • Technology
    • AI
    • Cloud
    • Telecom
    • Data Center
    • BPM
    • Blockchain
  • Finance
    • Banking
  • Cyber Security
  • View Points
  • Leaders Talk
  • News
  • Press Release
    • Submit Press Release
No Result
View All Result
Leaders Talk and Latest Tech News | CXO VOICE
No Result
View All Result
Home News Cyber Security

Xiaomi Fixes the Security Flaws In Its Mobile Payment Mechanism

News Desk by News Desk
August 13, 2022
Security flaws Xiaomi

Check Point Research (CPR) recognized the security flaws in Xiaomi’s mobile payment mechanism. The vulnerabilities were in Xiaomi’s Trusted Environment, which is reliable for storing and processing sensitive data such as keys and passwords. CPR responsibly revealed its findings to Xiaomi, which acknowledged and fixed the security flaws. 

Over 1 billion users could have been affected, an attacker could steal private keys used to sign Wechat Pay control and payment packages. In the most ominous case, an unprivileged Android app could have created and signed a fake payment package. The devices studied by CPR were powered by MediaTek chips. 

CPR main findings

Entrusted apps on Xiaomi phone can be downgraded

Xiaomi can embed and sign their own entrusted applications. CPR findings show that an attacker can reposition an old version of a trusted app to the device and use it to overwrite the new app file. Therefore, an attacker can bypass security fixes made by Xiaomi or MediaTek in trusted apps by downgrading them to unpatched versions. CPR found several vulnerabilities in the thhadmin trusted app, which is responsible for security management that could be exploited to leak stored keys or to execute code in the context of the app and then practically perform malicious forged actions.

Embedded mobile payment framework compromised.

Xiaomi devices have an embedded mobile payment framework named Tencent Soter that provides an API for third-party Android applications to integrate the payment capabilities. Its primary function is to provide the ability to verify payment packages transferred between a mobile application and a remote backend server which are essentially the security and safety we all count on when we perform mobile payments.

According to Tencent, hundreds of millions of Android devices support Tencent soter.

The security flaws CPR found, which Xiaomi assigned CVE-2020-14125, ultimately compromised the Tencent soter platform, allowing an unauthorized user to sign fake payment packages.

ADVERTISEMENT

Two Attack Paths

CPR discovered two ways to attack the trusted code: 

1. From an unprivileged Android app: The user installs a malicious application and launches it. The app extracts the keys and sends a fake payment packet to steal the money.

2. If the attacker has the target devices in their hands: The attacker rootes the device, then downgrades the trust environment and then runs the code to create a fake payment package without an application.

Slava Makkaveev, Security Researcher at Check Point, said, “We discovered a set of vulnerabilities that could allow forging of payment packages or disabling the payment system directly from an unprivileged Android application. We were able to hack into WeChat Pay and implemented a fully worked proof of concept. Our study marks the first time Xiaomi’s trusted applications are being reviewed for security issues. We immediately disclosed our findings to Xiaomi, who worked swiftly to issue a fix. Our message to the public is to constantly make sure your phones are updated to the latest version provided by the manufacturer. If even mobile payments are not secure, then what is?”

Also Read: Remote Work Needs a Redesigned Enterprise Network to Strengthen Cybersecurity

News Desk

News Desk

by CXO VOICE team memebrs, [email protected]

Related Posts

Quick Heal BHASHINI
Cyber Security

Quick Heal Technologies Partners with BHASHINI to Enhance Cybersecurity Education in Regional Languages

September 11, 2025
Ransomware in Education
Cyber Security

Ransomware in Education: Progress Made, But Challenges Remain for IT Teams

September 11, 2025
Klaar
Business

Klaar Launches in the U.S. with $5 Million in Funding to Enhance Performance Management

September 11, 2025
Ask Ralph
Business

Ralph Lauren Unveils ‘Ask Ralph’, A New AI-Powered Shopping Experience for Style Inspiration

September 10, 2025
Exabeam
Cyber Security

Exabeam Enhances Security Operations with Google Cloud Integration to Combat Insider Threats from AI Agents

September 10, 2025
TCS CEA
Business

TCS Partners with CEA to Innovate Physical AI Technologies

September 10, 2025
EV

India’s Largest TATA.ev MegaCharger Hub Inaugurated at Mumbai Airport on World EV Day

September 9, 2025
Business

PwC India Unveils Navigate Tax Hub, A Tax Management Platform with AI Technology

September 9, 2025
Load More
ADVERTISEMENT

Latest Updates

Quick Heal BHASHINI

Quick Heal Technologies Partners with BHASHINI to Enhance Cybersecurity Education in Regional Languages

by Deepa Sharma
2 hours ago

Ransomware in Education

Ransomware in Education: Progress Made, But Challenges Remain for IT Teams

by Arshi Khan
4 hours ago

Klaar

Klaar Launches in the U.S. with $5 Million in Funding to Enhance Performance Management

by News Desk
6 hours ago

Ask Ralph

Ralph Lauren Unveils ‘Ask Ralph’, A New AI-Powered Shopping Experience for Style Inspiration

by Deepa Sharma
1 day ago

Exabeam

Exabeam Enhances Security Operations with Google Cloud Integration to Combat Insider Threats from AI Agents

by Deepa Sharma
1 day ago

TCS CEA

TCS Partners with CEA to Innovate Physical AI Technologies

by Deepa Sharma
1 day ago

Expert Views

Cyber Security

Why Even One Unpatched Device Can Be a Catastrophic Risk for Startups and SMBs

July 25, 2025
Cyber Criminals
Cyber Security

How WormGPT Became ChatGPT’s Evil Twin

July 15, 2025
Opinion

When AI Empowers Both Networks and Hackers: The New Battlefield for India’s Telecoms

May 20, 2025
Molly Sands AI
AI

AI RIP: 5 Things Knowledge Workers Will Say ‘Sayonara’ to in the Next Decade

March 8, 2025
multi cloud
Cloud

Multi-Cloud Made Simple: Strategies for Smart Business Management

March 5, 2025

Get Latest Update

Subscribe to our mailing list to receives newsletter direct to your inbox!

ADVERTISEMENT

Leaders Interviews

Tokenization
Interview

Revolutionizing Finance: An Exclusive Interview with Sid Ugrankar, Co-founder of Qila.io on the Future of Blockchain and Tokenization

-
Steve Wilson, GenAI Cybersecurity LLMs
Cyber Security

How effective is GenAI in cybersecurity? The role of LLMs and AI in security solutions. [Interview with Steve Wilson]

-
Interview on Counterfeit products with Nikhil Narayan
Leaders Talk

Advancements in ML & AI made it possible to detect counterfeit products in real-time, says Nikhil Narayan

-
Newgenone bridges the gap between business users and IT teams with its low code capability: Varun Goswami
Leaders Talk

Newgenone bridges the gap between business users and IT teams with its low code capability: Varun Goswami

-

Entrepreneur

Samsung Electronics appoints its first female president

Inspiring Women Entrepreneurs in India (2022)

Technology Adoption For Entrepreneurs

Volunteering management is the need of the Hour

CXOVoice.com is a leading online publication for CXOs, entrepreneurs, senior leaders, developers, and industry professionals. Our coverage spans key sectors, including IT, technology, banking, finance, cybersecurity, engineering, and automobiles.

Connect with us

Easy Links

  • Cryptocurrency
  • Event
  • Blockchain
  • Press Release
  • Resources & Downloads

Write Us

[email protected]
  • Home
  • About Us
  • Contact Us
  • Advertise
  • Privacy & Policy
  • Feedback

Copyright © 2025 CXOVoice - All Right Reserved

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

Our Spring Sale Has Started

You can see how this popup was set up in our step-by-step guide: https://wppopupmaker.com/guides/auto-opening-announcement-popups/

No Result
View All Result
  • Home
  • Technology
    • AI
    • Cloud
    • Telecom
    • Data Center
    • BPM
    • Blockchain
  • Finance
    • Banking
  • Cyber Security
  • View Points
  • Leaders Talk
  • News
  • Press Release
    • Submit Press Release

Copyright © 2025 CXOVoice - All Right Reserved