Security analysts have found security issues in the payment system present on Xiaomi smartphones that rely on MediaTek chips providing the trusted execution environment (TEE) that is responsible for signing transactions.
Attackers could exploit the weaknesses to sign fake payment packages using a third-party unprivileged application.
The implications of such an attack would be to make the payment service unavailable or to sign transactions from the user’s mobile wallet to the threat actor’s account.
Considering how common mobile payments and Xiaomi phones are, especially in Asian markets, the money pool hackers could tap into is estimated to be in the billions of U.S. dollars.
