cxo voice
  • Business
  • Technology
    • Artificial Intelligence
    • Cloud
    • Telecom
    • Data Center
    • BPM
    • Blockchain
  • Finance
    • Banking
  • CXO Insights
  • Cyber Security
  • CXO Interviews
No Result
View All Result
  • Business
  • Technology
    • Artificial Intelligence
    • Cloud
    • Telecom
    • Data Center
    • BPM
    • Blockchain
  • Finance
    • Banking
  • CXO Insights
  • Cyber Security
  • CXO Interviews
No Result
View All Result
Leaders Talk and Latest Tech News | CXO VOICE
No Result
View All Result
Home Cyber Security

Xiaomi Fixes the Security Flaws In Its Mobile Payment Mechanism

News Desk by News Desk
August 13, 2022
Security flaws Xiaomi

Check Point Research (CPR) recognized the security flaws in Xiaomi’s mobile payment mechanism. The vulnerabilities were in Xiaomi’s Trusted Environment, which is reliable for storing and processing sensitive data such as keys and passwords. CPR responsibly revealed its findings to Xiaomi, which acknowledged and fixed the security flaws. 

Over 1 billion users could have been affected, an attacker could steal private keys used to sign Wechat Pay control and payment packages. In the most ominous case, an unprivileged Android app could have created and signed a fake payment package. The devices studied by CPR were powered by MediaTek chips. 

CPR main findings

Entrusted apps on Xiaomi phone can be downgraded

Xiaomi can embed and sign their own entrusted applications. CPR findings show that an attacker can reposition an old version of a trusted app to the device and use it to overwrite the new app file. Therefore, an attacker can bypass security fixes made by Xiaomi or MediaTek in trusted apps by downgrading them to unpatched versions. CPR found several vulnerabilities in the thhadmin trusted app, which is responsible for security management that could be exploited to leak stored keys or to execute code in the context of the app and then practically perform malicious forged actions.

Embedded mobile payment framework compromised.

Xiaomi devices have an embedded mobile payment framework named Tencent Soter that provides an API for third-party Android applications to integrate the payment capabilities. Its primary function is to provide the ability to verify payment packages transferred between a mobile application and a remote backend server which are essentially the security and safety we all count on when we perform mobile payments.

According to Tencent, hundreds of millions of Android devices support Tencent soter.

The security flaws CPR found, which Xiaomi assigned CVE-2020-14125, ultimately compromised the Tencent soter platform, allowing an unauthorized user to sign fake payment packages.

Two Attack Paths

CPR discovered two ways to attack the trusted code: 

1. From an unprivileged Android app: The user installs a malicious application and launches it. The app extracts the keys and sends a fake payment packet to steal the money.

2. If the attacker has the target devices in their hands: The attacker rootes the device, then downgrades the trust environment and then runs the code to create a fake payment package without an application.

Slava Makkaveev, Security Researcher at Check Point, said, “We discovered a set of vulnerabilities that could allow forging of payment packages or disabling the payment system directly from an unprivileged Android application. We were able to hack into WeChat Pay and implemented a fully worked proof of concept. Our study marks the first time Xiaomi’s trusted applications are being reviewed for security issues. We immediately disclosed our findings to Xiaomi, who worked swiftly to issue a fix. Our message to the public is to constantly make sure your phones are updated to the latest version provided by the manufacturer. If even mobile payments are not secure, then what is?”

Also Read: Remote Work Needs a Redesigned Enterprise Network to Strengthen Cybersecurity

News Desk

News Desk

by CXO VOICE team members, [email protected]

Related Posts

cloudflare Precursor
Cyber Security

Cloudflare Introduces Precursor, One-Click Bot Defense That Monitors User Behavior Instead of CAPTCHA Challenges

July 14, 2026
Tech Mahindra and CloudSEK
Cyber Security

Tech Mahindra, CloudSEK Partner to Deliver Predictive, Regulation-Ready Cybersecurity

July 14, 2026
Tata data breach
Cyber Security

Tata Data Breach  Leaks Unreleased Apple Product Details

June 30, 2026
IBM Red Hat and Palo Alto
Cyber Security

IBM, Red Hat, Palo Alto Networks Expand Project Lightwell for AI-Driven Vulnerability Protection

June 25, 2026
Wipro MDR
Cyber Security

Wipro Expands Palo Alto Networks Alliance to Launch AI-Powered Cyber Defense Services

June 24, 2026
public Wi-Fi
Cyber Security

The Hidden Dangers of Public Wi-Fi: Why Convenience Should Never Replace Caution

June 23, 2026
Wi-Fi Security
Cyber Security

Connected Everywhere, Vulnerable Anywhere: The Security Side of Wi-Fi

June 23, 2026
N-able Bengaluru
Cyber Security

N-able Opens New Global Capability Centre in Bengaluru

June 17, 2026
Load More

More Articles

cloudflare Precursor

Cloudflare Introduces Precursor, One-Click Bot Defense That Monitors User Behavior Instead of CAPTCHA Challenges

by Deepa Sharma
July 14, 2026

Intel Ireland

Intel to Invest €5 Billion in Ireland to Boost AI Chip Production and R&D

by Deepa Sharma
July 14, 2026

Tech Mahindra and CloudSEK

Tech Mahindra, CloudSEK Partner to Deliver Predictive, Regulation-Ready Cybersecurity

by Deepa Sharma
July 14, 2026

LTM and Anthropic

LTM Partners with Anthropic to Expand Enterprise Adoption of Claude AI

by Deepa Sharma
July 13, 2026

Get Weekly CXO Intelligence.

Loading

CXO Insights

public Wi-Fi
Cyber Security

The Hidden Dangers of Public Wi-Fi: Why Convenience Should Never Replace Caution

by Atul Luthra
June 23, 2026
Wi-Fi Security
Cyber Security

Connected Everywhere, Vulnerable Anywhere: The Security Side of Wi-Fi

by Govind Rammurthy
June 23, 2026
Shadow AI
Artificial Intelligence

Shadow AI: The Invisible Threat Growing Inside Modern Enterprises

by Manpreet Singh
June 5, 2026
traceability in Manufacturing
Opinion

From Barcode to Intelligence: How Traceability Is Redefining Manufacturing in India

by S R Srinivasan
May 29, 2026

CXO Interviews

AI Skills
Artificial Intelligence

How AI is transforming skills, education, and workforce development in the future of work

>
1Point1
Business

How 1Point1 Solutions Is Betting Its Future on AI to Redefine BPM

>
NewgenONE
Business

Reimagining Enterprise Transformation: Varun Goswami on the Future of NewgenONE and AI-Driven Automation

>
Jagat Shah, Chairman & CEO of MITSUMI Group
Business

Leadership in Emerging Markets: Exclusive Interview with Jagat Shah, Chairman & CEO of MITSUMI Distribution

>

CXOVoice.com is a leading online publication for CXOs, entrepreneurs, senior leaders, developers, and industry professionals. We publish informed analysis, news reporting, expert commentary, and expert insights across enterprise technology, digital transformation, cybersecurity, data, AI, sustainability, and governance.

Connect with us

Easy Links

  • Cryptocurrency
  • Company Announcements
  • Event
  • Blockchain
  • Resources & Downloads
Loading
  • Home
  • About Us
  • Contact Us
  • Advertise
  • Privacy & Policy
  • Editorial Policy
  • Feedback

Copyright © 2026 CXOVoice - All Rights Reserved

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

No Result
View All Result
  • Home
  • Business
  • Opinion
  • Interview
  • Technology
  • Cyber Security
  • Artificial Intelligence
  • How To
  • Data Center

Copyright © 2026 CXOVoice - All Rights Reserved