Mobile payments have grown in popularity and are now a common form of payment all over the world. We all use it on a daily basis and with ease, pushing doubts and uncertainties aside.
But have you ever wondered if this common practice that many of us are accustomed to is truly safe? Could someone steal money from your digital wallet, which you use every day, without your knowledge?
According to the most recent Statistica data, the Far East and China will account for two-thirds of global mobile payments in 2021. This equates to approximately $4 billion in mobile wallet transactions. Such a large sum of money is bound to attract the attention of hackers.
CPR (Mobile) researchers examined the payment system built into Xiaomi smartphones powered by MediaTek chips, which are very popular in China, in this report. We discovered vulnerabilities during these reviews that could allow forging payment packages or directly disabling the payment system from an unprivileged Android application.
For many years, mobile devices have included a trusted execution environment (TEE). Its primary function is to process and store sensitive security data like cryptographic keys and fingerprints.
Because mobile payment signatures are performed in the TEE, we assume that if the TEE is secure, your payments are as well.
The Asian market, dominated by smartphones powered by MediaTek chips, has yet to be fully explored. Despite the fact that security management and the core of mobile payments are implemented in trusted applications written by device vendors such as Xiaomi, no one is scrutinizing them. This is the first time Xiaomi’s trusted applications have been examined for security flaws.
Our investigation focuses on the trusted apps of MediaTek-powered devices. The Xiaomi Redmi Note 9T 5G with MIUI Global 12.5.6.0 OS was used for testing.
Xiaomi has the ability to embed and sign their own trusted applications. We discovered that an attacker can transfer an old version of a trusted app to the device and overwrite the new app file. As a result, an attacker can circumvent security fixes implemented by Xiaomi or MediaTek in trusted apps by reverting to unpatched versions.
We discovered several vulnerabilities in the admin trusted app, which is in charge of security management, that could be exploited to leak stored keys or execute code in the context of the app, allowing malicious forged actions to be performed.
Tencent Soter, an embedded mobile payment framework in Xiaomi devices, provides an API for third-party Android applications to integrate payment capabilities. Its primary function is to verify payment packages transferred between a mobile application and a remote backend server, which is essentially the security and safety we all rely on when making mobile payments.
Tencent soter is supported by hundreds of millions of Android devices, according to Tencent.
WeChat Pay and Alipay are the two most important players in China’s digital payment industry. They account for roughly 95% of the Chinese mobile payments market. These platforms each have over a billion users. WeChat Pay is based on the Tencent cryptocurrency. If an app vendor wants to implement his own payment system, including the backend that stores users’ credit cards, bank accounts, and so on, without being tied to the WeChat app, he can use the Tencent soter to directly verify the authenticity of transactions on its backend server, or in other words, make sure that a payment packet was sent from his app installed on a specific device and approved by the user.
The vulnerability we discovered, CVE-2020-14125, completely compromises the Tencent soter platform, allowing an unauthorized user to sign bogus payment packages.
Slava Makkaveev, Security Researcher at Check Point Software said,“We discovered a set of vulnerabilities that could allow forging of payment packages or disabling the payment system directly, from an unprivileged Android application. We were able to hack into WeChat Pay and implemented a fully worked proof of concept. Our study marks the first time Xiaomi’s trusted applications are being reviewed for security issues. We immediately disclosed our findings to Xiaomi, who worked swiftly to issue a fix. Our message to the public is to constantly make sure your phones are updated to the latest version provided by the manufacturer. If even mobile payments are not secure, then what is?”
Our report provides a close look into a set of vulnerabilities within Xiaomi’s trusted applications which are responsible for managing device security and mobile payments, being used by millions of users around the globe.
Throughout this research we observed ways to attack the platform built into Xiaomi smartphones and used by millions of users in China for mobile payments.
An unprivileged Android application could exploit the CVE-2020-14125 vulnerability to execute code in the wechat trusted app and forge payment packets.
After our disclosure and collaboration, this vulnerability has been patched by Xiaomi in June 2022.
In addition, we showed how the downgrade vulnerability in Xiaomi’s TEE can enable the old version of the wechat app to steal private keys. This presented read vulnerability has also been patched and fixed by Xiaomi after disclosure and collaboration.
The downgrade issue, which has been confirmed by Xiaomi to belong to a third-party vendor, is being fixed shortly.
