Flaws in Pre-Installed security App on Xiaomi Phones open to hack them

Pierluigi Paganini April 05, 2019

If you use a Xiaomi smartphone you should be aware that a pre-installed security software could be abused for malicious activities.

Bad news for the owners of Xiaomi smartphones, a pre-installed security application could be used as a backdoor by hackers.

Security experts at CheckPoint have discovered that a security app, called Guard Provider, that is currently pre-installed on more than 150 million Xiaomu devices is affected by multiple vulnerabilities issues that could have allowed remote hackers to gain the control of the phones.

Xiaomi pre-installed-sw

“Check Point Research recently discovered a vulnerability in one of the preinstalled apps in one of the world’s biggest mobile vendors, Xiaomi, which with almost 8% market share ranks third in the mobile phone market. Ironically, it was the pre-installed security app, ‘Guard Provider’ (com.miui.guardprovider), which should protect the phone by detecting malware, which actually exposes Checkpointthe user to an attack.” reads the post published by CheckPoint.

“Briefly put, due to the unsecured nature of the network traffic to and from Guard Provider, a threat actor could connect to the same Wi-Fi network as the victim and carry out a Man-in-the-Middle (MiTM) attack.”

Guard Provider is developed by Xiaomi that includes three antivirus software, Avast, AVL, and Tencent, and allows users to choose the one they prefer.

The security app works as a sort of aggregator, it allows to include 3rd-party software within a single app. Experts argued that it uses several Software Development Kits (SDKs), potentially opening the doors to the attackers through the compromise of one of them.

The experts pointed out that the SDK share the same app context and permissions, these main problems resulting from this implementation are:

  1. A problem in one SDK would compromise the protection of all the others.
  2. The private storage data of one SDK cannot be isolated and can therefore be accessed by another SDK.

Checkpoint experts discovered that the application was receiving antivirus signature updates through an unsecured HTTP connection, allowing attackers to carry out man-in-the-middle attacks when sharing the same WiFi network. Then the attackers can intercept the Xiaomi device connection and push malicious updates.

Experts at CheckPoint demonstrated how get remote code execution on the targeted Xiaomi device after exploiting four vulnerabilitues in two different SDKs available in the app.

The researchers exploited the use of unsecured HTTP connection to deliver software updates, a path-traversal vulnerability during the decompression process to overwrite files in the app’s sandbox (including files related to another SDK) and the lack of digital signature verification for update process.

Check Point reported the vulnerabilities to Xiaomi that quickly addressed them and released a new version of the Guard Provider app.

It is completely understandable that users would put their trust in smartphone manufacturers’ preinstalled apps, especially when those apps claim to protect the phone itself. This vulnerability discovered in Xiaomi’s ‘Guard Provider’, however, raises the worrying question of who is guarding the guardian. And although the guardian should not necessarily need guarding, clearly when it comes to how apps are developed, even those built in by the smartphone vendor, one cannot be too careful.” concludes Checkpoint.

“The above attack scenario also illustrates the dangers of using multiple SDKs in one app. While minor bugs in each individual SDK can be often be a standalone issue, when multiple SDKs are implemented within the same app it is likely that even more critical vulnerabilities will not be far off.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Xiaomi, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment