cxo voice
  • Home
  • Technology
    • AI
    • Cloud
    • Telecom
    • Data Center
    • BPM
    • Blockchain
  • Finance
    • Banking
  • Cyber Security
  • View Points
  • Leaders Talk
  • News
  • Press Release
    • Submit Press Release
No Result
View All Result
  • Home
  • Technology
    • AI
    • Cloud
    • Telecom
    • Data Center
    • BPM
    • Blockchain
  • Finance
    • Banking
  • Cyber Security
  • View Points
  • Leaders Talk
  • News
  • Press Release
    • Submit Press Release
No Result
View All Result
Leaders Talk and Latest Tech News | CXO VOICE
No Result
View All Result
Home News Cyber Security

Xiaomi Fixes the Security Flaws In Its Mobile Payment Mechanism

News Desk by News Desk
August 13, 2022
Security flaws Xiaomi

Check Point Research (CPR) recognized the security flaws in Xiaomi’s mobile payment mechanism. The vulnerabilities were in Xiaomi’s Trusted Environment, which is reliable for storing and processing sensitive data such as keys and passwords. CPR responsibly revealed its findings to Xiaomi, which acknowledged and fixed the security flaws. 

Over 1 billion users could have been affected, an attacker could steal private keys used to sign Wechat Pay control and payment packages. In the most ominous case, an unprivileged Android app could have created and signed a fake payment package. The devices studied by CPR were powered by MediaTek chips. 

CPR main findings

Entrusted apps on Xiaomi phone can be downgraded

Xiaomi can embed and sign their own entrusted applications. CPR findings show that an attacker can reposition an old version of a trusted app to the device and use it to overwrite the new app file. Therefore, an attacker can bypass security fixes made by Xiaomi or MediaTek in trusted apps by downgrading them to unpatched versions. CPR found several vulnerabilities in the thhadmin trusted app, which is responsible for security management that could be exploited to leak stored keys or to execute code in the context of the app and then practically perform malicious forged actions.

Embedded mobile payment framework compromised.

Xiaomi devices have an embedded mobile payment framework named Tencent Soter that provides an API for third-party Android applications to integrate the payment capabilities. Its primary function is to provide the ability to verify payment packages transferred between a mobile application and a remote backend server which are essentially the security and safety we all count on when we perform mobile payments.

According to Tencent, hundreds of millions of Android devices support Tencent soter.

The security flaws CPR found, which Xiaomi assigned CVE-2020-14125, ultimately compromised the Tencent soter platform, allowing an unauthorized user to sign fake payment packages.

ADVERTISEMENT

Two Attack Paths

CPR discovered two ways to attack the trusted code: 

1. From an unprivileged Android app: The user installs a malicious application and launches it. The app extracts the keys and sends a fake payment packet to steal the money.

2. If the attacker has the target devices in their hands: The attacker rootes the device, then downgrades the trust environment and then runs the code to create a fake payment package without an application.

Slava Makkaveev, Security Researcher at Check Point, said, “We discovered a set of vulnerabilities that could allow forging of payment packages or disabling the payment system directly from an unprivileged Android application. We were able to hack into WeChat Pay and implemented a fully worked proof of concept. Our study marks the first time Xiaomi’s trusted applications are being reviewed for security issues. We immediately disclosed our findings to Xiaomi, who worked swiftly to issue a fix. Our message to the public is to constantly make sure your phones are updated to the latest version provided by the manufacturer. If even mobile payments are not secure, then what is?”

Also Read: Remote Work Needs a Redesigned Enterprise Network to Strengthen Cybersecurity

News Desk

News Desk

by CXO VOICE team memebrs, [email protected]

Related Posts

Tech Mahindra and Aduna
Business

Tech Mahindra and Aduna Forge Strategic Partnership to Transform Telecom Networks through Standardized APIs

July 5, 2025
HCLTech and Equinor
Business

HCLTech and Equinor Strengthen Partnership to Propel Digital Transformation

July 3, 2025
Enterprise Software
Business

The Future of Enterprise Software: Embracing Multimodality

July 3, 2025
Juniper Networks
Business

Hewlett Packard Enterprise Acquires Juniper Networks to offer a comprehensive, cloud-native, AI-driven portfolio

July 3, 2025
Technology

Samsung Launches Skill Development Center at the Government Polytechnic in KGF

July 2, 2025
Premier League
Technology

Premier League Teams Up with Microsoft for Innovative Fan Experience

July 2, 2025
mimik and Tech Mahindra
AI

mimik and Tech Mahindra Launch Agentic AI Production Center to Revolutionize Autonomous AI Development

July 2, 2025
Hinshaw
People

Genpact Welcomes John M. Hinshaw to Board of Directors

July 2, 2025
Load More
ADVERTISEMENT

Latest Updates

Tech Mahindra and Aduna

Tech Mahindra and Aduna Forge Strategic Partnership to Transform Telecom Networks through Standardized APIs

by News Desk
2 days ago

HCLTech and Equinor

HCLTech and Equinor Strengthen Partnership to Propel Digital Transformation

by News Desk
3 days ago

Enterprise Software

The Future of Enterprise Software: Embracing Multimodality

by Deepa Sharma
4 days ago

Juniper Networks

Hewlett Packard Enterprise Acquires Juniper Networks to offer a comprehensive, cloud-native, AI-driven portfolio

by News Desk
4 days ago

Samsung Launches Skill Development Center at the Government Polytechnic in KGF

by News Desk
5 days ago

Premier League

Premier League Teams Up with Microsoft for Innovative Fan Experience

by News Desk
5 days ago

Expert Views

Opinion

When AI Empowers Both Networks and Hackers: The New Battlefield for India’s Telecoms

May 20, 2025
Molly Sands AI
AI

AI RIP: 5 Things Knowledge Workers Will Say ‘Sayonara’ to in the Next Decade

March 8, 2025
multi cloud
Cloud

Multi-Cloud Made Simple: Strategies for Smart Business Management

March 5, 2025
Soft Skills
Opinion

Soft Skills and Technical Know-How: A Winning Combination in the Tech Industry

March 4, 2025
Digital Freedom
Cyber Security

Your Data, Their Gold: The Silent Battle for Digital Freedom

February 25, 2025

Get Latest Update

Subscribe to our mailing list to receives newsletter direct to your inbox!

ADVERTISEMENT

Leaders Interviews

Steve Wilson, GenAI Cybersecurity LLMs
Cyber Security

How effective is GenAI in cybersecurity? The role of LLMs and AI in security solutions. [Interview with Steve Wilson]

-
Interview on Counterfeit products with Nikhil Narayan
Leaders Talk

Advancements in ML & AI made it possible to detect counterfeit products in real-time, says Nikhil Narayan

-
Newgenone bridges the gap between business users and IT teams with its low code capability: Varun Goswami
Leaders Talk

Newgenone bridges the gap between business users and IT teams with its low code capability: Varun Goswami

-
AI chatbots, Prasanna-Kumar
Leaders Talk

Can AI chatbots enhance customer experience and reduce the cost of serving customers?

-

Entrepreneur

Samsung Electronics appoints its first female president

Inspiring Women Entrepreneurs in India (2022)

Technology Adoption For Entrepreneurs

Volunteering management is the need of the Hour

CXOVoice.com is a leading online publication for CXOs, entrepreneurs, senior leaders, developers, and industry professionals. Our coverage spans key sectors, including IT, technology, banking, finance, cybersecurity, engineering, and automobiles.

Connect with us

Easy Links

  • Cryptocurrency
  • Event
  • Blockchain
  • Press Release
  • Resources & Downloads

Write Us

[email protected]
  • Home
  • About Us
  • Contact Us
  • Advertise
  • Privacy & Policy
  • Feedback

Copyright © 2025 CXOVoice - All Right Reserved

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

Our Spring Sale Has Started

You can see how this popup was set up in our step-by-step guide: https://wppopupmaker.com/guides/auto-opening-announcement-popups/

No Result
View All Result
  • Home
  • Technology
    • AI
    • Cloud
    • Telecom
    • Data Center
    • BPM
    • Blockchain
  • Finance
    • Banking
  • Cyber Security
  • View Points
  • Leaders Talk
  • News
  • Press Release
    • Submit Press Release

Copyright © 2025 CXOVoice - All Right Reserved