Security researchers at Check Point have discovered multiple security vulnerabilities in a pre-installed security app in Xiaomi phones which exposed over 150 million Xiaomi phone users across the world to cyber attacks.
These flaws were discovered in ‘Guard Provider’ which is incidentally a security app pre-installed in all Xiaomi phones and cannot be deleted by users. According to Check Point researchers, the use of multiple SDKs within the same app and the unsecured nature of the network traffic to and from Guard Provider allowed an attacker to carry out Man-in-the-Middle (MiTM) attacks.
"Due to the unsecured nature of the network traffic to and from Guard Provider and the use of multiple SDKs within the same app, a threat actor could connect to the same Wi-Fi network as the victim and carry out a Man-in-the-Middle (MiTM) attack. Due to gaps in communication between the multiple SDKs, the attacker could then inject any rogue code he chooses such as password stealing, ransomware, tracking or any other kind of malware," the researchers said in a blog post.
They said that the use of multiple SDKs (software development kits) within an app is not advisable as the same makes the app more susceptible to problems such as crashes, viruses, malware, privacy breaches, battery drain, slowdown, and many other problems.
At the same time, a problem in an SKD can compromise the protection of other SDKs within the same app and the private storage data of one SDK can be accessed by other SDKs within the same app. Despite such risks, a modern mobile app has around 18 SDKs on average, leaving organisations and users exposed to hacking attacks.
Multiple SDKs complicated app security in Xiaomi phones
Describing the vulnerability in 'Guard Provider' app in Xiaomi phones, the researchers said that if a Xiaomi device user sets Avast as the default antivirus scanner, the Avast app periodically downloads the avast-android-vps-v4-release.apk APK file to Guard Provider’s private directory. The APK file is then loaded and executed by Avast SDK before the device is scanned.
However, since the update mechanism uses an unsecured HTTP connection to download the APK file, an attacker can carry out a man-in-the-middle attack to detect the timing of the Avast update and predict what the disk’s APK file name will be next. This way, the attacker is able to prevent future Avast updates by responding with a “404 error” to requests made via HTTP.
If the user switches over to AVL Anti-Virus as the default antivirus app, AVL downloads the archive of signatures indicated in the read_update_url field and decompresses it to the Guard Provider directory. However, since download takes place through an unsecured HTTP connection, an attacker can change the content of the .conf file and then use a crafted archive to overwrite any file in the app’s sandbox, including files related to another SDK.
"The attack is successful because the previous Avast update’s signature file was not verified before loading and Guard Provider has already checked it the first time it was downloaded. It thus assumes there is no reason to verify it again. In this way, the crafted malicious file can be downloaded and run as he has essentially sneaked around the guard’s back.
"The attack scenario also illustrates the dangers of using multiple SDKs in one app. While minor bugs in each individual SDK can often be a standalone issue, when multiple SDKs are implemented within the same app it is likely that even more critical vulnerabilities will not be far off," the researchers added. The flaws were subsequently patched by Xiaomi upon being reported by Check Point researchers.
Commenting on the discovery of such flaws in Xiaomi devices, Andrew van der Stock, senior principal consultant at Synopsys, said that phone manufacturers and software providers have a special responsibility to employ security reviews, supply chain security management, and ensure that any such applications that cannot be removed from the phone are truly safe.
"The reality is that for most consumers, Android One phones, which have a stock Android experience are likely to be an excellent choice, as there is no additional software, and Google provides timely security updates for the support period of the phone," he added.