Bluebox Security thought it tested a legitimate Xiaomi Mi 4 device, riddled with security issues.
Bluebox Security thought it tested a legitimate Xiaomi Mi 4 device, riddled with security issues.

A smartphone maker says that a firm's security analysis of one of its phones was actually done on a counterfeit device.

Last week, Bluebox Security said that it tested a legitimate Xiaomi Mi 4 LTE device, a popular smartphone in China, only to find that it was pre-loaded with “suspicious apps,” categorized as malware, spyware or adware. Bluebox also said that phone was vulnerable to multiple vulnerabilities and that several conflicting API build properties were observed on the device.

Although Bluebox Lead Security Analyst Andrew Blaich said, at the time, that the phone was first verified to be a legitimate device by Xiaomi (since the phone was popular among counterfeiters) – further testing showed that the smartphone was, indeed, a fake, a follow up blog post by Blaich said Sunday.

After Bluebox's findings were published, Xiaomi reached out to the security firm Friday denying the claims.

On Monday, Xiaomi also provided a statement to SCMagazine.com on the matter.

“As this device is not an original Xiaomi product, and not running an official Xiaomi MIUI software build, Bluebox's findings are completely inaccurate and not representative of Xiaomi devices. We believe Bluebox jumped to a conclusion too quickly without a fully comprehensive investigation (for example, they did not initially follow our published hardware verification process correctly due to language barrier) and their attempts to contact Xiaomi were inadequate, considering the severity of their accusations,” the statement said.

Through an internal investigation, Xiaomi determined that physical hardware of the device in question was “markedly different” from their original Mi 4 device, and that the IMEI on the phone was a cloned number previously used on other counterfeit Xiaomi devices in China. The company added that the software installed on the device was not an official Xiaomi MIUI build, since its devices do not come rooted and do not have malware pre-installed,” Xiaomi said in the email.

Bluebox's Blaich wrote Sunday that the “version of the MIUI ROM loaded on this device has had some modifications done to even bypass the authentication checks for the AntiFake app” – a tool released by Xiaomi to help verify the authenticity of devices.

“After in-depth testing, Xiaomi has stated that the device is counterfeit and a very good one at that.  It even defeated their verification app initially,” he explained.