Check Point Software's research teams have uncovered vulnerabilities in Xiaomi's mobile payment mechanism.
The team says that the vulnerabilities could allow forging of payment packages or disabling of the payment system directly from an unprivileged Android application.
Affecting the WeChat TrustZone on Xiaomi's phones mobile payment mechanism, the team says the vulnerabilities could possibly affect up to 1 billion users.
Check Point Research (CPR) collaborated with Xiaomi on the issue, and they acknowledged the vulnerabilities and provided fixes for them as a result.
When discovering the vulnerabilities, the team analysed the payment system built into Xiaomi smartphones powered by MediaTek chips, which are very popular in China.
During these reviews, they discovered vulnerabilities that could allow forging of payment packages or disabling the payment system from an unprivileged Android application, causing a significant security and data breach.
The research goes on to say that while Trusted Execution Environment (TEE) has been an integral part of mobile devices for many years, there are still inherent risks that have not been explored.
CPR showed how the downgrade vulnerability in Xiaomi's TEE could enable the old version of the WeChat app to steal private keys. This presented a read vulnerability which has also been patched and fixed by Xiaomi after disclosure and collaboration.
Another discovery found was that Xiaomi can embed and sign its own trusted applications. Research teams found that attackers can transfer an old version of a trusted app to the device and use it to overwrite the new app file. Because of this, an attacker can bypass security fixes made by Xiaomi or MediaTek in trusted apps by downgrading them to unpatched versions.
Xiaomi devices also have an embedded mobile payment framework named Tencent Soter that provides an API for third-party Android applications to integrate the payment capabilities.
The primary function of Tencent is to provide the ability to verify payment packages transferred between a mobile application and a remote backend server, which are essentially the security and safety used in mobile payments.
The vulnerability found by research teams labelled by Xiaomi as CVE-2020-14125 completely compromises the Tencent soter platform, allowing unauthorised users to sign fake payment packages.
After CPR disclosed and collaborated on the issue with Xiaomi, the vulnerability has been patched as of June 2022.
The downgrade issue, which has been confirmed by Xiaomi to belong to a third-party vendor, is being fixed shortly.
CPR also recommends that all mobile users update their phone's OS to the latest version to prevent any further issues or problems with outdated payment software.