Facebook root backdoor in Xiaomi-Service-Framework module


Feb 5, 2019
Hello folks. I installed latest ROM (MIUI 10.2 STABLE RELEASE) on my Redmi 5 Plus and found a Facebook root backdoor in Xiaomi-Service-Framework module [com.xiaomi.xmsf]. You can verify this in a terminal with command: netstat -Wetup

No root access is required to see the connections to view.atdmt.com.39424.9306.302br.net (, but same command in root terminal displays more informations (see screenshot).

My smartphone is rooted with TWRP and Magisk 17.3. I installed AdAway adblocker from f-droid.org to block the backdoor, but I can't remove it. This backdoor already exists in original global ROMs shipped with smartphone

Xiaomi.eu team has done great work to remove bloatware and most of the built-in ads and trackers from Xiaomi's software. Only few modules contain ads and spyware:

Calculator = com miui.calculator: Flurry
CleanMaster = com.miui.cleanmaster: Google, Facebook
Quick apps = com.miui.hybrid: Facebook
Music = com.miui.player: Google, Facebook
Mi Video = com.miui.videoplayer: Google, Facebook
MiGalleryLockscreen = com.mfashiongallery.emag: Facebook

Google inform users about tracking and asks for permission to access user data. Xiaomi too. That's OK. Facebook do not and the backdoor in XMSF is a two-way connection and runs with root rights. That's really bad.

BTW: To keep the door closed I used an iptables script for Magisk in /sbin/.core/img/.core/service.d/


Last edited:
Dec 2, 2017
I had already disabled all the apps listed except cleanmaster & quickapps.

A check of cleanmaster showed that it uploads your directories to Cheetah something.
Cheetah is known for adware and other nasties.

Good catch.

The noroot firewall Netguard can apparently handle traffic from the app Xiaomi-service-framework, if you enable it to control system apps.
Might try that to see if I can see more exactly what is going on.