Facebook root backdoor in Xiaomi-Service-Framework module

[Conus]

Hello folks. I installed latest ROM (MIUI 10.2 STABLE RELEASE) on my Redmi 5 Plus and found a Facebook root backdoor in Xiaomi-Service-Framework module [com.xiaomi.xmsf]. You can verify this in a terminal with command: netstat -Wetup

No root access is required to see the connections to view.atdmt.com.39424.9306.302br.net (69.172.216.56), but same command in root terminal displays more informations (see screenshot).

My smartphone is rooted with TWRP and Magisk 17.3. I installed AdAway adblocker from f-droid.org to block the backdoor, but I can't remove it. This backdoor already exists in original global ROMs shipped with smartphone

Xiaomi.eu team has done great work to remove bloatware and most of the built-in ads and trackers from Xiaomi's software. Only few modules contain ads and spyware:

Calculator = com miui.calculator: Flurry
CleanMaster = com.miui.cleanmaster: Google, Facebook
Quick apps = com.miui.hybrid: Facebook
Music = com.miui.player: Google, Facebook
Mi Video = com.miui.videoplayer: Google, Facebook
MiGalleryLockscreen = com.mfashiongallery.emag: Facebook

Google inform users about tracking and asks for permission to access user data. Xiaomi too. That's OK. Facebook do not and the backdoor in XMSF is a two-way connection and runs with root rights. That's really bad.

BTW: To keep the door closed I used an iptables script for Magisk in /sbin/.core/img/.core/service.d/

 

[cobben]

Interesting, the very first line in an old Adaways hosts file from last year is:

view.atdmt.com.39424.9306.302br.net

 

[Stoffl]

And into my adaway filters it goes

 

[cobben]

I had already disabled all the apps listed except cleanmaster & quickapps.

A check of cleanmaster showed that it uploads your directories to Cheetah something.
Cheetah is known for adware and other nasties.

Good catch.

The noroot firewall Netguard can apparently handle traffic from the app Xiaomi-service-framework, if you enable it to control system apps.
Might try that to see if I can see more exactly what is going on.

 

[Oldenburger]

I use Blokada.
A lot of Facebook requests will be blocked.
Likewise from Xiaomi.

 

[cobben]

Perhaps not related, but a peculiar thing happened when connecting to the free internet on a ferry just now.

I got "connection refused" on my Mi Note 2 with a newer version hosts file, while it connected normally on my Max1 with an older version hosts file.
Changing the hosts file on the Mi Note 2 to the older version worked.

Now why does the free wifi require a connection at all to this site?:

http://connect.rom.miui.com/generate_204

I have another peculiar problem with this free wifi- when I send email to a certain Swedish county organisation via the free wifi, it gets rejected as spam.
Never have this problem any other time with any other provider.

The (Stenaline) onboard internet is run I believe by Norwegian Telenor, if that makes any difference.
When on the ferry I get localized to Norway on occasion.
They provide the extremely expensive mobile connections on these ferries also.

 

[BlackRose07]

Good job @Conus
Thanks!

 

[MarkHUK]

I'd be careful of the terminology of 'backdoor' when referencing what appears to be Ad tracking code URIs. Also where is the evidence of 'root' privileges granted here? If you are going to make bold claims of 'Backdoors' at least provide a full synopsis to that fact and not just talk about Ad Tracking URIs in APKs.