Don't use these Chinese smartphones, European government warns

Three generic smartphones side-by-side displaying a montage of the Chinese national flag and a padlock.

(Image credit: Future)

UPDATED with comment from Xiaomi.

Toss out your Xiaomi and Huawei phones, but keep the OnePlus ones, warns the government of Republic of lithuania following the publication of its own study about the security of Chinese-fabricated 5G smartphones.

"Our recommendation is to non purchase new Chinese phones, and to become rid of those already purchased as fast every bit reasonably possible," Lithuanian Deputy Defense force Government minister Margiris Abukevicius told reporters during the unveiling of the report from Republic of lithuania'due south National Cyber Security Center, co-ordinate to Reuters.

Communist china reportedly spying on 'tens of thousands' of Americans via phones
The best Android antivirus apps
Plus: Three unpatched iOS 15 security flaws put online — what to know

Xiaomi seems to do the bidding of the Chinese government in ways that could threaten users in the W, the report argues, including putting a censorship module in its phones and secretly communicating with Chinese-run servers worldwide. Meanwhile, Huawei's lax app-installation procedure tin can get your telephone infected by Android malware.

As for OnePlus, its phones weren't found by the study'south authors to be doing annihilation nefarious. The researchers were following upwards on reports over the by few years that all three brands engaged in perhaps shady behavior.

Neither Xiaomi nor Huawei accept carrier partnerships or direct distribution in the Usa, although their relatively inexpensive phones are piece of cake to buy from major online retailers. The brands are widely known and used in Europe.

What to practice if you have a Huawei or Xiaomi phone

As with all Android phones, you'll want to install and utilise some of the best Android antivirus apps while using these devices. The congenital-in Google Play Protect on Xiaomi phones doesn't cutting it, and we don't know what kind of built-in protection Huawei phones have.

Yous'll likewise desire to avert using all app stores other than the congenital-in AppGallery on a Huawei phone. Those third-party stores often have corrupted versions of well-known apps that secretly contain malware.

Regarding Xiaomi, information technology's a tougher telephone call. The allegations laid out in the Lithuanian regime written report are pretty suspicious, even if the censorship module seems to be turned off in phones sold in Europe.

Likewise, the secret Xiaomi communications might perchance exist explained as role of normal operations, but the researchers weren't able to determine that because they couldn't crack the encrypted letters. You'll have to decide for yourself whether yous want to keep using a Xiaomi phone.

Xiaomi dormant censorship

The Lithuanian researchers found that the Xiaomi Mi 10T regularly updated a file called "MiAdBlacklistConfig" that held a built-in list of about 450 taboo Chinese phrases, including "Free Tibet," "Autonomous Movement" and "Long alive Taiwan's independence."

All are phrases that the Chinese government doesn't desire its citizens to see. The phone has congenital-in filters that are supposed to block users from viewing any kind of media associated with those phrases.

The censorship filter was deactivated for phones sold in the European Marriage, to which Lithuania belongs, but the researchers said information technology could easily be flipped on remotely by Xiaomi.

"The existence of such functionality may jeopardize complimentary access to information and limit its accessibility," stated the report. "This is of import not only for Lithuania, only also for all countries using Xiaomi devices."

Cloak-and-dagger communications

The Xiaomi telephone also secretly communicated with a Chinese-owned server in Singapore when the user signed upward to utilize Xiaomi's cloud functions, which include phone backups and lost-device location services.

Advice with remote servers is normal during such procedures, but in this example, the Xiaomi phone sent a (somehow) encrypted SMS message to the server without the user'south knowledge, and deleted the sent message from the phone's text-message log immediately afterward.

"Investigators were unable to read the contents of this encrypted message, and then we can't tell you what information the device sent," ane of the report's co-authors told The Tape.

The beliefs did not happen once the Xiaomi Deject service was disabled.

"Automatic sending of messages and its darkening by means of software pose potential threats to the security of the device and personal data," warned the Lithuanian authorities study. "In this way, without the user'southward knowledge, device information can exist collected and transmitted to remote servers."

The Xiaomi telephone also sent what the researchers called "a relatively large amount of information" virtually phone configuration, apps and processes, besides as user behavior, to Google Analytics and a like Chinese house called Sensor Data.

It also sent "statistical data on the activity of certain applications" to servers beyond the world run past the Chinese internet visitor Tencent.

Backstairs to malware

The Huawei P40 wasn't found to exist censoring or spying, merely did pose a pretty serious security risk because it regularly reached out to off-road app stores where malicious apps are known to lurk.

Huawei's default app shop is Huawei's own AppGallery. Only if the user searches for an app that's not in the AppGallery, then the phone will search 3rd-party app stores, including simply non limited to APKMonk, APKPure and Aptoide.

The user will exist warned that they're being redirected to off-road stores over which Huawei has no control, and must authorize the jump out of the AppGallery. All the same, the Lithuanian researchers came across three malicious apps through this process while using the Huawei P40.

"Such applications can exist downloaded and installed past the user on the mobile phone, thereby jeopardizing the security of the device and the data contained in it," the report said.

Update: Xiaomi statement

In response to a asking for annotate, Xiaomi provided Tom's Guide with this statement, in full.

"Xiaomi's devices do non censor communications to or from its users. Xiaomi has never and volition never restrict or block whatsoever personal behaviours of our smartphone users, such as searching, calling, web browsing or the utilise of third-party communication software. Xiaomi fully respects and protects the legal rights of all users. Xiaomi complies with the European Union'south General Information Protection Regulation (GDPR)."

Paul Wagenseil is a senior editor at Tom'due south Guide focused on security and privacy. He has also been a dishwasher, fry melt, long-booty commuter, code monkey and video editor. He'south been rooting effectually in the information-security infinite for more 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom'southward Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA dwelling-technology conference. You lot can follow his rants on Twitter at @snd_wagenseil.