Photo Credit: Check Point Research
Xiaomi smartphones may have security vulnerabilities. After another report earlier this week about URL spoofing in preloaded browsers, it is now being reported that Xiaomi Guard Provider, a security app which comes pre-installed on Xiaomi smartphones, has been discovered harbouring a grave vulnerability that would have allowed a malicious party to wreak havoc by intercepting the traffic linked to the app. As per the findings of a cyber-security firm, the unencrypted traffic could allow a bad actor to add a malicious code that could be executed to perform data theft or install malware. Thankfully, Xiaomi has patched the vulnerability once the issue was discovered, and so far, there are no reports of the flaw being exploited.
As per a report by Check Point Research, the underlying issue that gave rise to the vulnerability in the Guard Provider app was the use of multiple SDKs for the three different anti-virus services it employs. Xiaomi's pre-installed security app utilised Avast, AVL, and Tencent for scanning the device for virus, all three of which employ different SDKs. But the issue with using multiple SDKs is that threat to one of them can compromise the others too, and the private data of one SDK can be accessed by another SDK as well.
In case of the Guard Provider app, a malicious party could carry out a Man-in-the-Middle (MiTM) attack by connecting to the same Wi-Fi network and tapping into the unsecured traffic routed through the security app. The bad actor could then sever the connection of Avast SDK from the server, change the configuration of the alternate SDK i.e., AVL, link it to a crafted ZIP file, and overwrite other files in the app's sandbox.
Once this happens, the attacker could again activate Avast and allow the malicious APK to be executed by circumventing the security check process. “The attack is successful because the previous Avast update's signature file was not verified before loading and Guard Provider has already checked it the first time it was downloaded”, wrote Check Point Research's Slava Makkaveev. Once Xiaomi was notified of the security threat, the company reportedly released a patch for the Guard Provider app to fix the flaw.
It turns out that the AVL SDK is vulnerable to another security issue that helps the attacker carry out the second stage of the attack: a path-traversal during the decompression process. As a result, the attacker is able to use a crafted archive to overwrite any file in the app's sandbox, including files related to another SDK.
All that the attacker needs to do now is release the Avast communication and block AVL's communication until the user again chooses Avast as the active anti-virus. When this happens, the crafted malicious APK file will be loaded and executed by the Avast SDK.
The attack is successful because the previous Avast update's signature file was not verified before loading and Guard Provider has already checked it the first time it was downloaded. It thus assumes there is no reason to verify it again. In this way, the crafted malicious file can be downloaded and run as he has essentially sneaked around the guard's back.
It is not clear whether the patch released by Xiaomi has addressed only the unsecured traffic routing flaw, or if it has solved an inherent issue associated with the AVL SDK as well. Though if the routing traffic flaw is fixed, the AVL SDK flaw cannot be exploited through a MiTM attack.