A preinstalled mobile security app on Xiaomi left user devices more vulnerable than protected, researchers said.
Check Point researchers discovered a vulnerability in Xiaomi phones’ “Guard Provider app” that could expose users to attacks caused by the unsecured nature of network traffic to and from the app and the use of multiple SDKs within the same app.
The vulnerabilities are the result of what researchers described as “SDK fatigue” in which the use of multiple SDKs in the app leave it more susceptible to problems that could allow threat actors connected to the same Wi-Fi network as the victim to carry out Man-in-the-Middle (MiTM) attack.
“Due to gaps in communication between the multiple SDKs, the attacker could then inject any rogue code he chooses such as password stealing, ransomware, tracking or any other kind of malware,” researchers said in the report.
The design also leaves the app more susceptible to crashes, viruses, malwares, privacy breaches, battery drain and slowdown, among other problems.
Fortunately Xiaomi released a patch for the flaw shortly after researchers brought it to their attention, but the problem of preinstalled and potentially harmful apps isn’t unique to the brand.
Google’s Android Security and Privacy Year in Review 2018 report that released earlier this month said “malicious actors increased their efforts to embed PHAs into the supply chain using two main entry points: new devices sold with pre-installed PHAs and over the air (OTA) updates that bundle legitimate system updates with PHAs.”