Over the past few days, a little known but well funded mobile security firm, Bluebox, published a report claiming Xiaomi was pre-installing malware on its Mi 4 smartphone. The report also claimed that Xiaomi was shipping the Mi 4 with a rooted ROM and came pre-installed with tampered versions of popular benchmarking apps. It also claimed that Xiaomi’s own identifier app showed that the phone was a legitimate Xiaomi product, raising questions on the security of products made by one of the fastest rising smartphone brand in South East Asia. However, as it turns out, the smartphone Bluebox had acquired through an unofficial source in China was nothing more than a sophisticated counterfeit. But how did a startup, with $27.5 million in funding from Andreessen Horowitz, Tenaya Capital, and Andreas Bechtolsheim fell for a counterfeit product? Also Read - Xiaomi Mi Watch SE smartwatch teased for India, to bring large circular display and premium design

Before we go into how Bluebox tested the phone, it is clear from the outset that the company had little understanding of the Chinese market and how counterfeiting is rampant there. It is not just the Apple iPhones and Samsung Galaxies that get counterfeited there but even local Chinese smartphone brands that are popular but are limited in supply. Xiaomi is a perfect example, as thousands of units of its smartphones get snapped up within minutes if not seconds during flash sales. However, the counterfeiting is quite contained internally, since strict import regulations and checks ensure that these units never make it to western countries. Also Read - Xiaomi Redmi Note 9 Pro now on open sale in India: Price, specifications

Xiaomi also happens to be one of the most-talked about brand in the US, especially after its meteoric rise in the smartphone space, some high-profile hirings and its multi-fold increase in valuation. However, not many there understand what the brand is all about, its MIUI operating system on top of Android or the reason of its popularity. The common narrative is that Xiaomi is a brand that copied Apple’s hardware design and iOS UI and sold devices for cheap. The misconception is clear from Bluebox’s initial claim that MIUI was “a forked (not certified) form of Android and does not contain Google services.”

In reality, MIUI is actually certified and comes with Google services outside China, where Google services are banned. Contrary to what Bluebox has claimed, MIUI is true Android, which means MIUI follows exactly Android CDD, Google s definition for compatible Android devices, and it passes all Android CTS tests, the process used by the industry to make sure a given device is fully Android compatible. All Xiaomi devices sold in China and international markets are fully Android compatible, Xiaomi had told BGR India in its initial statement.

The first mistake Bluebox committed was to buy a Mi 4 from an illegitimate source. This is Security 101 – if you are embarking on a report to find whether a smartphone (or any other device) is secure or not, you should acquire it from legitimate retail channels. Neither did Bluebox commit this amateur error, it did not even undertake any background check on its reseller itself.

What is also baffling is that Bluebox went for the Chinese version when it seems the company had no one who could understand Chinese. Things would have been much simpler had Bluebox hired someone with some basic Chinese understanding and some local knowledge of the Chinese smartphone market. Or it could have simply gone for an international variant like the one available in India, which comes with English UI and with Google Mobile Services. At least that would have brought them some clarity about MIUI and also ensured it was a legitimate product.

Bluebox claimed that Xiaomi’s phone identifier app also claimed it was a legitimate product. Only if the researchers had done some, well, research, they would have understood how the phone identifier worked. Unfortunately, Xiaomi’s documentation for the app was only available in Chinese. Bluebox fell for a fake identifier app that simply showed the phone was legit by diagnosing the specifications locally. The real app however asks users to go to a website, scan a code and the phone then sends some hardware details in encrypted form to Xiaomi’s servers. Whether the phone is legit or counterfeit is again shown on that website only and not on the phone locally.

Xiaomi could have done better by having English support for its verification app. “We have so far not received meaningful reports of counterfeit Mi phones outside of China. However, to give our international users peace of mind, an English version of our verification app (that certifies the authenticity of Mi hardware) is in the works,” the company said in a statement issued to BGR India.

There were enough red flags for Bluebox even during its testing to sense something was wrong. The pre-installed benchmark apps on the phone’s internal storage that replaced legit benchmark apps a user downloaded to spoof benchmark results, for instance, should have been a dead giveaway. It is also baffling that Bluebox would come to these damaging conclusions based on just one unit that was sourced through dubious means.

Eventually, I believe the lack of understanding of Xiaomi and its products undid Bluebox. Had the researchers spent some time understanding MIUI and its variants outside China that come with Google Mobile Services, the narrative could have been different.

Here’s Xiaomi’s final statement issued to BGR India on how the two companies came to the conclusion that the product was counterfeit and Bluebox’s findings were completely inaccurate: