Vulnerability found in Xiaomi phones' pre-installed security app

Interactions between Avast and AVL SDKs spawned dangerous flaw on Xiaomi smartphones.


Xiaomi has patched a security flaw in Guard Provider, the default security app included with all recent Xiaomi smartphones.

The vulnerability would have allowed attackers to inject traffic heading towards the Guard Provider app, and insert malicious commands that would have allowed a threat actor to run malicious code to take over the phone, install malware, or steal users' data.

The security bug was discovered by security researchers from Israeli cyber-security firm Check Point, who will release a detailed report about the issue later today.

Bug caused by interactions between two SDKs

The vulnerability at the heart of this problem comes from the app's design. The Xiaomi Guard Provider app includes three different antivirus brands built into it that users can select and keep as their default antivirus. The three are Avast, AVL, and Tencent.

Xiaomi Guard Provider app

Image: Check Point

The app and these three antivirus products each come with different coding libraries (SDKs - software development kits) that they use to power various functions.

Check Point said that the interactions between two of these SDKs --the Avast SDK and the AVL SDK-- exposed a way to execute code on Xiaomi devices.

This flaw would have had a limited impact, but because traffic coming and going from the Xiaomi Guard Provider was unencrypted, any attacker in a position of injecting the victim's web traffic could effectively have taken over the victim's phone.

This includes Man-in-the-Middle attack scenarios, such as malware found on a router, rogue ISPs, any "evil access point" scenario, and others.

Too many cooks

"The above attack scenario also illustrates the dangers of using multiple SDKs in one app," said Check Point security researcher Slava Makkaveev. "While minor bugs in each individual SDK can be often be a standalone issue, when multiple SDKs are implemented within the same app it is likely that even more critical vulnerabilities will not be far off."

Makkaveev's comments should raise concerns for most smartphone users today. A 2018 study of the Android app ecosystem found the average number of mobile SDKs that are embedded in an app is around 18.

With such a high number of different SDKs interacting with each other inside an app's codebase, app makers may never know how these libraries will combine to spawn super-bugs developers may have never expected.

Check Point's finding also confirms an academic paper published last month that found the Android ecosystem of pre-installed apps to be a complete privacy and security mess, with many pre-installed apps containing security flaws, malware, and harvesting large quantities of user data without giving users a way to opt out or disable these offending apps.

More vulnerability reports: