Major vulnerabilities were discovered in pre-installed apps on Xiaomi phones. Ironically, the vulnerability was located in the pre-installed security app, Guard Provider. This app looks for malware on the phone and protects users. However, the app instead exposed 150 million users worldwide.
Xiaomi is the fourth largest mobile phone brand around the world; holding about 8% of the global market. The phone is widely popular in India and by online customers in the U.S bought from vendors like Amazon.
The vulnerability was discovered by security researchers at Check Point, who released a report this week. Researchers found that vulnerability existed between the network traffic going and coming back from the Guard Provider. Xiaomi failed to encrypt this this traffic.
Further, vulnerabilities also existed within the third-party Software Development Kits (SDKs) the app used to offer its services. Multiple SDKs were built into the app; these included three different antiviruses the user could choose from: Avast, AVL, and Tencent. Using several SDKs within the same app has many drawbacks. Check Point stated:
“there are actually some hidden disadvantages in using several SDKs within the same app. Because they all share the app context and permissions, these main disadvantages are that: A problem in one SDK would compromise the protection of all the others.The private storage data of one SDK cannot be isolated and can therefore be accessed by another SDK.”
Due to the unsecured channels and use of multiple SDKS, when connected to the same Wi-Fi network as the user, attackers could carry out man in the middle (MiTM) attacks and inject malicious code. Once exploited attackers could take over the user’s phone, install malware, and steal data.
Since the discovery of the vulnerability, Check Point has contacted Xiaomi, who patched the flaws soon after.
Contact LIFARS immediately for secure code review.