Xiaomi’s ‘Guard Provider’ app exposed its users to major vulnerability
Xiaomi‘s Guard Provider is an application that is supposed to protect users from malware. But ironically, this very application had a major flaw that exposed Xiaomi users to RCE attacks. This vulnerability was found out by Check Point Research who then informed Xiaomi about the same.
This is a serious case because pre-loaded applications are expected to be safe. But due to the unsecured nature of the network traffic, a threat actor could connect to the same WiFi network as the victim and carry out a Man-in-the-Middle (MiTM) attack and inject rogue codes to steal data, implant ransomware or install tracking or any other kind of malware.
Here’s how a ‘hacker’ could install malware on your Xiaomi phone
1) The Guard Provider application on Xiaomi phones makes use of three different antivirus brands that the user can choose from to protect their phone: Avast, AVL and Tencent. Because this application uses three different providers of antivirus in the same application, they share app context and permissions.
2) SDK (Software Development Kit) is a collection of software that is used to make applications. Now, in this above scenario where three providers with different SDKs use the same application (where they even share context and permissions), a problem in one SDK would compromise the protection of others.
3) Now coming to the explanation on how a hacker could actually take advantage of this particular vulnerability. Avast is set as the default security scanner on the Guard Provider application. The virus database of Avast is frequently updated by downloading an APK file to the Guard Provider app’s private directory. But unfortunately, the application makes use of an unsecured HTTP connection to download the file.
4) Since the link is not secured, a threat actor can intercept the incoming files and disable future Avast updates by responding with an error.
5) Now since Avast updates are blocked by the threat actor, a user would switch to AVL Anti-Virus.
6) Turns out, the AVL SDK has another flaw that allows the attacker access to restricted directories and executes commands outside of the web server’s root directory. Essentially, this means that the attacker can now block AVL’s communication with its server too.
7) Now the hacker can replace the Avast update APK with a malicious one and wait for the user to switch to Avast again. Once the user does that, Avast will now install the malicious APK without verifying the file’s signature.
Fortunately, Check Point Research disclosed this information responsibly to Xiaomi before making it public. At the time of writing this article, Xiaomi has already released a security patch to fix this bug.
Xiaomi’s Guard Provider application had a bug through which attackers could install the malware on the phone. This bug was due to the unsecured network to and from the Guard Provider application. This bug also illustrated the use of different SDKs in the same application. But if you have a Xiaomi phone, you need not worry. This bug was squashed by Xiaomi by providing a patch. So if you haven’t installed the latest security update on your phone, I’d recommend you to do it as soon as possible.
Xiaomi really needs to get itself together when it comes to software. Users have already expressed their anger over ads that are displayed throughout the software. And now this!