After asking about the purpose of AnalyticsCore app on company’s
support forum and getting no response, Thijs Broenink reverse engineered the code and found that the app checks for a new update from the company's official server every 24 hours.
While making these requests, the app sends device identification information with it, including phone's IMEI, Model, MAC address, Nonce, Package name as well as signature.
If there is an updated app available on the server with the filename "Analytics.apk," it will automatically get downloaded and installed in the background without user interaction.
Now the question is, Does your phone verify the correctness of the APK, and does it make sure that it is actually an Analytics app?
Broenink found that there is no validation at all to check which APK is getting installed to user's phone, which means there is a way for hackers to exploit this loophole.
This also means Xiaomi can remotely and silently install any application on your device just by renaming it to "Analytics.apk" and hosting it on the server.