A security app that comes pre-installed on more than 150 million devices manufactured by Xiaomi, China’s biggest and world’s 4th largest smartphone company, was suffering from multiple issues that could have allowed remote hackers to compromise Xiaomi smartphones.
According to CheckPoint, the reported issues resided in one of the pre-installed application called, Guard Provider, a security app developed by Xiaomi .
It uses several Software Development Kits (SDKs), which according to researchers is not a great idea because data of one SDK cannot be isolated and any issue in one of them could compromise the protection provided by others.
“The hidden disadvantages in using several SDKs within the same app lie in the fact that they all share the app context and permissions,” the security firm says.
“While minor bugs in each individual SDK can often be a standalone issue, when multiple SDKs are implemented within the same app it is likely that even more critical vulnerabilities will not be far off.”
Guard Provider was downloading antivirus signature updates through an unsecured HTTP connection, allowing man-in-the-middle attackers sitting on open WiFi network to intercept your device’s network connection and push malicious updates.
However, the actual attack scenario is not as straightforward as it may sound. As explained by CheckPoint, researchers successfully achieved remote code execution on the targeted Xiaomi device after exploiting four separate issues in two different SDKs available in the app.
The attack basically leveraged the use of unsecured HTTP connection, a path-traversal vulnerability and lack of digital signature verification while downloading and installing an antivirus update on the device.
Check Point reported the issues to the company and confirmed that Xiaomi has now fixed the issues in the latest version of its Guard Provider app.