Updated comment from Xiaomi.

The Lithuanian government has issued a warning following the release of an independent report on the security of Chinese-made 5G smartphones. [According to Reuters, Lithuanian Deputy Defense Minister Margiris Abkevicius told reporters during the release of the report from the Lithuanian National Cyber Security Center, "Our recommendation is not to buy new Chinese-made phones, and if you have already purchased one, as soon as reasonably possible dispose of them as soon as reasonably possible."

Xiaomi seems to be at the mercy of the Chinese government in ways that could threaten Western users, the report claims. Meanwhile, Huawei's lax app installation process could infect phones with Android malware.

As for OnePlus, the authors of the study did not find any malicious activity on the company's phones. The researchers had been tracking reports of possible involvement of all three brands in questionable practices over the past several years.

Neither Xiaomi nor Huawei are affiliated with carriers or sell directly in the United States, but their relatively inexpensive phones are readily available at major online retailers. Both brands are widely known and used in Europe.

As with other Android phones, it is recommended to install and use some of the best Android antivirus apps while using these devices; the built-in Google Play protection on Xiaomi phones is not sufficient, and the Google Play protection on Huawei phones is not sufficient, We do not know what protections are built into Huawei phones.

We would also avoid using app stores other than the built-in AppGallery on Huawei phones. These third-party stores often have corrupted versions of well-known apps that secretly contain malware.

For Xiaomi, the decision is more difficult. The censorship module seems to be turned off on phones sold in Europe, but the allegations described in the Lithuanian government report are highly suspect.

Similarly, Xiaomi's secret communications could be explained as part of normal business, but researchers could not determine this because they could not decrypt the encrypted messages. Whether or not you want to continue to use a Xiaomi cell phone is a decision you must make for yourself.

Lithuanian researchers found that the Xiaomi Mi 10T regularly updates a file called "MiAdBlacklistConfig," which contains information on "Free Tibet," "Democratic Movement," "Long live Taiwan's independence," etc., and we found that it has a built-in list of nearly 450 Chinese taboo phrases.

All of these are phrases that the Chinese government does not want its citizens to see. The phones have built-in filters that prevent users from viewing any media related to these phrases.

This censorship filter is disabled on phones sold in the European Union, of which Lithuania is a part, but researchers say it can easily be turned on remotely by Xiaomi.

"The presence of such a feature could jeopardize free access to information and limit its accessibility. This is important not only for Lithuania, but for all countries using Xiaomi devices."

Xiaomi phones also secretly communicated with a Chinese-owned server in Singapore when users signed up for Xiaomi's cloud features (such as phone backup and location services in case of loss).

While it is common for such procedures to communicate with remote servers, in this case, the Xiaomi phone sent encrypted SMS messages to the server (in some way) without the user's knowledge, and shortly thereafter the phone's text message log deleted the sent messages from the server.

"Investigators were unable to read the contents of these encrypted messages, so we do not know what information the device sent," one of the report's co-authors told The Record.

This behavior did not occur once the Xiaomi cloud service was disabled.

"The automatic transmission of messages and their concealment by software pose a potential threat to the security of terminals and personal data," warns the Lithuanian government report.

"In this way, data from the terminal could be collected and sent to a remote server without the user's knowledge.

Xiaomi phones also sent what researchers call "relatively large amounts of information" about user behavior as well as phone settings, apps and processes to similar Chinese companies called Google Analytics and Sensor Data.

It also sent "statistical data about specific application activity" to servers around the world operated by the Chinese Internet company Tencent.

While the Huawei P40 was not found to be censoring or spying, it did pose a fairly serious security risk because it regularly accessed off-road app stores known to harbor malicious apps.

Huawei's default app store is Huawei's own AppGallery. However, when users search for apps that are not in AppGallery, the phone searches third-party app stores such as APKMonk, APKPure, and Aptoide.

Users are warned that they are being redirected to an offload store not controlled by Huawei and must authorize the jump from AppGallery. Nevertheless, Lithuanian researchers encountered three malicious apps through this process while using the Huawei P40.

"Such applications can be downloaded and installed on the phone by the user, thereby compromising the security of the device and the data contained in it," the report states.

In response to a request for comment, Xiaomi provided Tom's Guide with this full statement.

"Xiaomi's devices do not censor communications with users. Xiaomi has never restricted or blocked any smartphone user's personal activities, such as searching, calling, web browsing, or using third-party communication software, and does not intend to do so in the future. Xiaomi fully respects and protects the legal rights of all users. Xiaomi complies with the European Union's General Data Protection Regulation (GDPR)."