Xiaomi mobile app hid major security flaw

(Image credit: Xiaomi) (Image credit: Xiaomi)

Xiaomi smartphones may have been affected by a serious security flaw hidden in a pre-installed mobile app, researchers have claimed.

Experts from Check Point Research said they discovered a vulnerability in an app bundled on Xiaomi devices that could have let hackers hijack smartphones and inject malware.

China's Xiaomi has enjoyed huge success in recent years to become the third-largest mobile vendor in the world, meaning millions of users may have been affected.

Insecure

The flaw was found within the pre-installed Guard Provider security app, ironically designed to prevent a device being infected by malware, and an app that is not able to be deleted by the user.

Check Point says that Guard Provider uses several third-party Software Development Kits (SDKs), including three different antivirus brands built that the user can choose from to protect their phone: Avast, AVL and Tencent. 

However, due to the unsecured nature of the network traffic to and from the Guard Provider app and the use of multiple SDKs within the same app, a threat actor could connect to the same Wi-Fi network as the victim and carry out a Man-in-the-Middle (MiTM) attack to inject malicious code such as password stealing, ransomware, tracking or any other kind of malware, onto the device.  

Check Point says that it notified Xiaomi of the threat immediately, and the vendor has now issued a patch for the flaw, but advises users to utilise mobile security software that is able to protect against such MiTM attacks.

In a statement, an Avast spokesperson said, "The attack scenario involving Xiaomi's 'Guard Provider', as described by Check Point in recent research, is proof-of-concept, and would be extremely complex - therefore highly unlikely - to happen in reality." 

"Avast is working with mobile partners, including Xiaomi, to further harden the security around Avast SDKs as a precaution and to reassure users that they are safe.""

Mike Moore
Deputy Editor, TechRadar Pro

Mike Moore is Deputy Editor at TechRadar Pro. He has worked as a B2B and B2C tech journalist for nearly a decade, including at one of the UK's leading national newspapers and fellow Future title ITProPortal, and when he's not keeping track of all the latest enterprise and workplace trends, can most likely be found watching, following or taking part in some kind of sport.