Xiaomi has patched a security flaw in Guard Provider, the default security app included with all recent Xiaomi smartphones.
The vulnerability would have allowed attackers to inject traffic heading towards the Guard Provider app, and insert malicious commands that would have allowed a threat actor to run malicious code to take over the phone, install malware, or steal users' data.
The security bug was discovered by security researchers from Israeli cyber-security firm Check Point, who will release a detailed report about the issue later today.
Bug caused by interactions between two SDKs
The vulnerability at the heart of this problem comes from the app's design. The Xiaomi Guard Provider app includes three different antivirus brands built into it that users can select and keep as their default antivirus. The three are Avast, AVL, and Tencent.
The app and these three antivirus products each come with different coding libraries (SDKs - software development kits) that they use to power various functions.
Check Point said that the interactions between two of these SDKs --the Avast SDK and the AVL SDK-- exposed a way to execute code on Xiaomi devices.
This flaw would have had a limited impact, but because traffic coming and going from the Xiaomi Guard Provider was unencrypted, any attacker in a position of injecting the victim's web traffic could effectively have taken over the victim's phone.
This includes Man-in-the-Middle attack scenarios, such as malware found on a router, rogue ISPs, any "evil access point" scenario, and others.
Too many cooks
"The above attack scenario also illustrates the dangers of using multiple SDKs in one app," said Check Point security researcher Slava Makkaveev. "While minor bugs in each individual SDK can be often be a standalone issue, when multiple SDKs are implemented within the same app it is likely that even more critical vulnerabilities will not be far off."
Makkaveev's comments should raise concerns for most smartphone users today. A 2018 study of the Android app ecosystem found the average number of mobile SDKs that are embedded in an app is around 18.
With such a high number of different SDKs interacting with each other inside an app's codebase, app makers may never know how these libraries will combine to spawn super-bugs developers may have never expected.
Check Point's finding also confirms an academic paper published last month that found the Android ecosystem of pre-installed apps to be a complete privacy and security mess, with many pre-installed apps containing security flaws, malware, and harvesting large quantities of user data without giving users a way to opt out or disable these offending apps.
More vulnerability reports:
- Researcher prints 'PWNED!' on hundreds of GPS watches' maps due to unfixed API
- Cisco bungled RV320/RV325 patches, routers still exposed to hacks
- Researchers discover and abuse new undocumented feature in Intel chipsets
- WordPress iOS app leaked authentication tokens
- Apache web server bug grants root access on shared hosting environments
- Researcher publishes Google Chrome exploit on GitHub
- DJI fixes vulnerability that let potential hackers spy on drones CNET
- Top 10 app vulnerabilities: Unpatched plugins and extensions dominate TechRepublic