Major Vulnerability Potentially Impacted 150 Million Smartphone Users Worldwide

Researchers discovered a since-patched vulnerability in an app pre-installed on smartphones made by Xiaomi.

|
Apr 4 2019, 4:17pm

Image: Shutterstock

Researchers have discovered multiple vulnerabilities in a pre-installed app on phones made by one of the world’s biggest smartphone vendors that potentially impacted the privacy and security of more than 150 million Android users worldwide.

According to security researchers at Check Point Research, the vulnerabilities were found in an app pre-installed on smartphones made by Xiaomi, the biggest mobile phone manufacturer in China and India, and the fourth biggest by market share in the world.

The app in question was a self-proclaimed security app dubbed “Guard Provider,” which promised to protect Xiaomi users from malware. But Check Point found that the app’s failure to encrypt virus database updates opened Xiaomi users to man in the middle attacks (MiTM) when users connected to public WiFi hotspots.

“Once connected to the same WiFi network as the victim—say, in public places i.e. at restaurants, coffee shops, or malls—the attacker would be able to gain access to the phone owner’s pictures, videos, and other sensitive data, or inject any type of malware,” Check Point told Motherboard in an email.

Xiaomi said last year it had originally hoped to offer its smartphones and other hardware here in the States in 2019, though those efforts may have been delayed for PR reasons given the ongoing national security concerns regarding Huawei and ZTE products.

Xiaomi did not respond to an inquiry by Motherboard about the vulnerability identified by Check Point Research or its US launch plans.

The Check Point report notes Xiaomi’s Guard Provider app utilizes three different integrated antivirus products smartphone users can choose to use to protect themselves from malware: Avast, AVL and software from Tencent.

Yaniv Balmas, head of cyber research at Check Point, told Motherboard that the vulnerabilities could only been exploited if the end user first chose Avast as their initial antivirus protection.

“Each application on its own does not have a serious security issue, however combined a critical security flaw exists,” he said. “In order to trigger the vulnerability a certain specific event flow should be followed. Certain usage combinations of the 3 AVs...do not trigger the vulnerability we discovered.”

The firm said the door to this multi-stage attack is first opened because Xiaomi’s update process uses an unsecured HTTP connection to download virus definitions and other updates.

Because of this, an attacker could use an MiTM attack to detect the timing of Avast antivirus database updates, and then easily predict what the system’s next Android Package (APK) file name will be. From there, the attacker could intercept the response part of the APK connection, while preventing future Avast antivirus updates.

Once the Avast antivirus product updates are blocked, the attacker could switch the default antivirus app to the other two antivirus options. Additional vulnerabilities in the app decompression process then allowed an attacker using a crafted archive to overwrite any file in the app’s sandbox, ultimately leading to the delivery of a malicious payload.

“Minor bugs in each individual SDK can often be a standalone issue, when multiple SDKs are implemented within the same app it is likely that even more critical vulnerabilities will not be far off,” the firm said.

The company says that Xiaomi released a patch shortly after being notified by the research firm, but added there’s some obvious irony with a purported security tool undermining user security.

“This vulnerability discovered in Xiaomi’s ‘Guard Provider’ raises the worrying question of who is guarding the guardian,” the security firm said. “Clearly when it comes to how apps are developed, even those built in by the smartphone vendor, one cannot be too careful.”

Get six of our favorite Motherboard stories every day by signing up for our newsletter.

Stories