Update: On Sunday March 8, Xiaomi contacted VentureBeat with a statement in response to the Bluebox report. Then on March 9, Bluebox told VentureBeat that the device may have been counterfeit and provided new findings. 

Data security firm Bluebox has discovered preinstalled malware and a host of other issues with a Xiaomi Mi 4 device the company tested. Scarier still, the phone seems to have been tampered with by an unidentified third party.

Bluebox first issued a report on Thursday, after reaching out to Xiaomi and not getting a response.

When the researchers first received the phone, they made sure it was legitimately a Xiaomi device using Xiaomi’s “Mi Identification” app. The phone passed the identification test, however it may still be counterfeit. Blaich says, that’s concerning because the average user would not be able to tell the difference between this device and a legitimate one. Upon further testing, security researchers found that there were several malicious applications preloaded onto the smartphone, including adware that disguises itself as a verified Google application; trojans, which allow hackers to gain control of the phone; and other high-risk software.

Furthermore, the device was “vulnerable to every vulnerability we scanned for,” wrote Andrew Blaich, Bluebox’s lead security analyst, in a blog post.

Blaich also said that the operating system on the Mi 4 he tested was a non-certified version of Android and therefore subject to a number of flaws. Some of the bugs and security holes his researchers discovered were specific to old Android software, not its current release, leading them to believe that the OS was a mashup between the new KitKat 4.4.4. and an older form of Android. Other issues within the API build made the researchers unsure whether the device was meant for testing or consumer use.

There was also suspicion that the device may have been tampered with, because some of the apps held signatures that differed from the manufacturer’s signing key.

On Friday, the firm finally heard back from Xiaomi.

“We are certain the device that Bluebox tested is not using a standard MIUI ROM, as our factory ROM and OTA ROM builds are never rooted and we don’t pre-install services such as YT Service, PhoneGuardService, AppStats etc. Bluebox could have purchased a phone that has been tampered with, as they bought it via a physical retailer in China. Xiaomi does not sell phones via third-party retailers in China, only via our official online channels and selected carrier stores.” — Hugo Barra, VP International

Barra went on to say that the company was investigating why it took Xiaomi so long to respond to Bluebox’s initial message. He also said that customers should only purchase Xiaomi products from Mi.com and the select verified stores that the company works with. However, Blaich seemed unimpressed by the response.

“If it’s this easy to modify the device in the retail chain, it could also be modified in transit, even when purchased from mi.com,” he wrote, and then referenced a recent article from Der Spiegel that demonstrated how U.S. intelligence officials are able to intercept computers before they reach their destination and load them with malware — a more modern form of wiretapping. The thought being, if Xiaomi smartphones are already getting hacked at the retail level, they may be vulnerable to more complex attacks.

Blaich says device tampering at the retail level isn’t new. Last November, Bluebox found several devices sold at major retailers like Walmart and Target that had been tampered with before being sold.

Within the Mi 4 report, Blaich notes that the more popular a device is, the more frequently it’s attacked. Xiaomi already has 100 million people on its MIUI platform and has plans to launch in the U.S. this year, which means the number of Xiaomi users is only going up.

Since this article was first published, Xiaomi has reached out with the following statement:

“It is likely that the Mi 4 that Bluebox obtained has been tampered with by a third party, because it was purchased from an unofficial channel. With the large parallel market for mobile phones of all brands in China, it is relatively common for third parties to tamper with the software sold on smartphones of any brands through such channels. Xiaomi only sells via Mi.com, and a small number of select Xiaomi trusted partners such as mobile operators.
Furthermore, contrary to what Bluebox has claimed, MIUI is true Android, which means MIUI follows exactly Android CDD, Google’s definition for compatible Android devices, and it passes all Android CTS tests, the process used by the industry to make sure a given device is fully Android compatible, both in China and international markets.”

Get more stories like this on TwitterFacebook