Security researcher finds pre-installed apps on 150 million Xiaomi phones vulnerable to attacks
Check Point researcher Slava Makkaveev discovered a vulnerability that comes as a part of Xiaomi’s pre-installed security and non-removable app ‘Guard Provider’, which ironically is meant to protect the phone from malware.
“This vulnerability discovered in Xiaomi’s ‘Guard Provider,’ however, raises the worrying question of who is guarding the guardian. And although the guardian should not necessarily need guarding, clearly when it comes to how apps are developed, even those built in by the smartphone vendor, one cannot be too careful,” Makkaveev said in his blog post.
Guard Provider allows users to choose from three antivirus scanners, Avast, AVL and Tencent built-in to detect potential malware. The app receives its updates through an unsecured HTTP connection.
“Briefly put, due to the unsecured nature of the network traffic to and from Guard Provider, a threat actor could connect to the same Wi-Fi network as the victim and carry out a Man-in-the-Middle (MiTM) attack. Then, as part of a third-party SDK update, he could disable malware protections and inject any rogue code he chooses such to steal data, implant ransomware or tracking or install any other kind of malware.”
The vulnerability is due to “SDK Fatigue” which is due to increased use of multiple SDKs within the same app makes the app more susceptible to problems such as “crashes, viruses, malware, privacy breaches, battery drain, slowdown, and many other problems.”
Further, the use of several SDKs within the same app could create unpreventable issues for the developers such as:
- A problem in one SDK would compromise the protection of all the others.
- The private storage data of one SDK cannot be isolated and can, therefore, be accessed by another SDK.
By using too many SDKs within the same app, developers leave “organizations and users exposed to potential pitfalls that can be exploited by threat actors to interfere with the regular operation of the device,” Makkaveev concluded.
Following a disclosure report from Check Point Research, Xiaomi shortly patched the flaw that exposed users to MiTM attack.
A Xiaomi spokeswoman said in a statement, “Xiaomi is aware of this and [has] already worked with our partner Avast to fix it.”
For more information about the vulnerability, you can read the Check Point blog.