Late last week, mobile security company Bluebox, came out with a damning report about security concerns it found with the Xiaomi Mi 4. The report, close on the heels of Lenovo’s Superfish episode, claimed that the Mi 4 comes pre-installed with malware, adware and spyware. The report went on to say that the Mi 4 was “vulnerable for every vulnerability we scan for.” Xiaomi refutes the claims and suggests that the smartphone Bluebox had bought was likely to be a counterfeit device. UPDATE: Xiaomi has confirmed that the unit was “100 percent proven to be a counterfeit product purchased through an unofficial channel on the streets in China.” Also Read - Xiaomi Mi Watch SE smartwatch teased for India, to bring large circular display and premium design

Also Read - Xiaomi Redmi Note 9 Pro now on open sale in India: Price, specifications

Xiaomi has sent a statement to BGR India where they mention the product used by Bluebox to conclude Xiaomi was pre-installing malware was a counterfeit product. Even Bluebox has confirmed that the product was counterfeit and hence, its findings were inaccurate.

First some background. Bluebox procured a Mi 4 from an unofficial third-party reseller in China. The security firm claimed it did some tests to ensure the smartphone was not a counterfeit and it was satisfied that it was a legitimate Xiaomi product. It followed it up with some basic tests that revealed six pre-installed apps that were classified to be known malware, adware or spyware.

Further, the firm also found that their Mi 4 unit was already rooted and came pre-enabled with developer debugging function. It also found that the phone’s internal storage memory had a hidden folder with some popular benchmarking apps but those were resigned, hinting that they were tampered and were different from the authentic version. It also found that the ROM was already rooted.

BGR India reached out to Xiaomi and the Chinese smartphone vendor refuted all claims made by Bluebox. It also suggested the possibility that the security company could have bought a counterfeit product.

“There are glaring inaccuracies in the Bluebox blog post. Official Xiaomi devices do not come rooted and do not have malware pre-installed. Our investigation based on information received so far indicates that the phone Bluebox obtained is a counterfeit product purchased through an unofficial channel on the streets in China. We’re gathering more information to fully confirm this and should have a final answer in the next 24 hours,” Xiaomi said in a statement. (Read the complete statement at the end.)

Bluebox also found some mismatches between Android versions and MIUI, which suggested that the forked operating system was a patchwork of different versions of Android. It also found that the OS was most likely to be a test software and not the final consumer version. Bluebox also reported that MIUI wasn’t certified by Google, a claim Xiaomi calls inaccurate.

“Contrary to what Bluebox has claimed, MIUI is true Android, which means MIUI follows exactly Android CDD, Google’s definition for compatible Android devices, and it passes all Android CTS tests, the process used by the industry to make sure a given device is fully Android compatible. All Xiaomi devices sold in China and international markets are fully Android compatible,” the statement continued.

Based in San Francisco, Bluebox was founded in 2012 and claims to provide mobile data security solutions for enterprises. It is backed by $27.5 million from Andreessen Horowitz, Tenaya Capital, and Andreas Bechtolsheim. The company was evaluating the Xiaomi Mi 4 as a BYOD option for employees and found it to score very low on its “Trustable” score. However, the results would be worthless if the Mi 4 it tested does indeed turn out to be a counterfeit product.

Last month Lenovo came under a lot of fire when reports emerged the company had pre-installed an adware, called Superfish, on some models of its consumer laptops. Superfish broke SSL protocols, enabling it to snoop on secure communications. The company stopped pre-installing the software and offered a tool to remove it from affected laptops.

“Our goal is to find technologies that best serve users. In general, we get pretty good feedback from users on what software we pre-install on computers and do our due diligence. Obviously in this case we didn t do enough. The intent of loading this tool was to help enhance our users shopping experience. What we re going to do in the next few weeks is dig deeper, and work with users, industry experts and others to see how we can improve what we do around software that comes installed on consumers computers. The outcome could be a clearer description of what software is on a user s machine, and why it s there,” said a Lenovo spokesperson in response to BGR India’s questions at the time of the Superfish episode.

For Xiaomi, another key question revolving around security would be the fact that most of its smartphones run on an older version of Android and Xiaomi rarely pushes Android updates to smartphones. This could probably make its smartphones vulnerable to security holes that Google fixes in every software update. In response to BGR India’s question, the smartphone maker said it regularly pushed out security updates rather than waiting for platform updates.

“We prioritize security updates over platform updates (via backporting). We have one of the industry s strongest security software teams and we make sure that our devices are always running the most secure software,” a Xiaomi spokesperson told BGR India.

Here’s the initial official statement Xiaomi sent to BGR India. We are expecting another follow up statement soon.