A new report has surfaced online revealing that Xiaomi Smartphones with the pre-installed “Security” app are suffering from a serious security flaw. The report revealed that the security flaw allowed hackers to “inject traffic” that was going to the “Security” app. This allowed the app to run malicious code on the smartphone that could let attackers take over the smartphone to install malware or even steal the user data present on the device. It also indicated that the reason for the flaw was the basic design of the Guard Provider app, the “Security” app that comes installed with all Xiaomi smartphones.
The report about the security vulnerability was initially posted by a group of security researchers at Check Point, a cyber-security firm from Israel and later picked up by ZDNet. The report goes into detail to explain the problem that resulted in this vulnerability. The cause of this issue was the presence of three different antivirus brands including Avast, AVL, and Tencent in one single app. Having multiple antivirus apps is not really as problematic as the problem here. This is because the SDKs (Software Development Kit) of two of the antiviruses (Avast and AVL) were interacting with each other exposed a way to execute code on Xiaomi devices.
Watch: Xiaomi Redmi Note 7 Pro First Look
It also revealed that the extent of the flaw could have been limited in terms of its impact but the internet connection coming and going to the Xiaomi “Security” app was not encrypted allowing attackers to successfully launch a two-stage attack with the help of injecting malicious data in the connection. The report stated that such attacks usually come along with “Man-in-the-Middle” attacks where a hacker infects your router or internet modem with a virus or more.
The report highlighted that this attack was part of the problem where Android developers use multiple SDKs to make their final app. This does not take into account the fact that these SDKs themselves may have security flaws which may combine together to form a very dangerous problem, such as in this case. We have reached out to Xiaomi for an official statement about this problem and will update the copy when we receive one.