A serious security flaw was uncovered in a pre-installed mobile app.
Check Point Research experts have revealed that there is a serious mobile app security flaw hidden in a pre-installed app on Xiaomi smartphones. The security researchers discovered a vulnerability in an app bundled on Xiaomi devices that could potentially allow hackers to hijack smartphones and inject malware.
The security flaw was discovered in the pre-installed Guard Provider security app.
The mobile app security flaw may have affected millions of Xiaomi smartphone users worldwide. The researchers found the flaw within the pre-installed Guard Provider security app. What makes their findings somewhat ironic is that this app was designed to protect a device from malware.
According to Check Point, the app uses multiple third-party Software Development Kits (SDKs). Among these include three different well-known antivirus brands: Avast, Tencent and AVL. Users have the option to pick the antivirus brand they prefer.
Xiaomi has since issued a patch for the mobile app security flaw.
Check Point reportedly notified Xiaomi of the threat immediately, according to TechRadar, and Xiaomi issued a patch for the flaw.
Check Point’s security experts say that what made the Guard Provider app problematic was due to the unsecure nature of the network traffic to and from the app as well as the use of multiple SDKs within the same app. As such, a threat actor could potentially connect to the same Wi-Fi network as the smartphone user and carry out a MiTM (Man-in-the-Middle) attack, injecting malicious code (e.g. ransomware, password stealing and any other kind of malware) onto the phone.
That being said, in spite of Check Point’s findings, an Avast spokesperson said in a statement that the flaw the researchers discovered isn’t likely to result in any real harm.
“The attack scenario involving Xiaomi’s ‘Guard Provider’, as described by Check Point in recent research, is proof-of-concept, and would be extremely complex – therefore highly unlikely – to happen in reality,” the spokesperson said.
“Avast is working with mobile partners, including Xiaomi, to further harden the security around Avast SDKs as a precaution and to reassure users that they are safe.”
Still, even though a patch was issued for the mobile app security flaw, Xiaomi smartphone users have been advised to use mobile security software that can protect against possible MiTM attacks. This is important because since the app is pre-installed it cannot be deleted by the user.