Mobile phones in today’s generation are still selling like pancakes despite the stiff competition between different mobile phone manufacturers. Needless to say, mobile phones are still part of our daily lives which serves as a multi-functional tool from communication up to almost anything thanks to the applications made for mobile devices.
It is well-known that Android based phones such as Xiaomi is a target of malicious mobile apps or phishing applications, therefore Xiaomi took in some steps to help secure its consumers safety, and interest by pre installing their devices with a security app, namely Guard Provider. However, it appears that hackers and black hats will always find a way to abuse a vulnerability.
Guard Provider is the pre-installed security app developed by Xiaomi which includes three different anti malware protection apps namely Avast, AVL, and Tencent. Which allows users to choose between the three said apps.
It was not a good idea to use several SDKs for an application such as Guard provider because according to experts it is not a good idea as data of one SDK cannot be isolated and any issue in one of the SDKs could compromise the protection provided by others.
The bottom line is multiple minor bugs from several SDKs rolled into one could produce unseen critical issues.
Overview of the Attack
It was revealed through a patch that the app Guard Provider has been downloading signatures by connecting to an unsecured HTTP connection, enabling man in the middle attacks on an open WIFI network to intercept a device’s network connection and push malicious updates instead of the intended updates.
Risks of the attack
Once an attacker through a public or open wifi used Guard Provider as the backdoor of your Xiaomi phone, the attacker will be able to gain access to the phone owner’s internal and external memory or files itself and other sensitive data, thus making it also possible to inject malware.
For corporate and individual freelance developers, always think twice whenever you plan to use several SDKs for one app. It is better safe than be sorry. This could potentially be a potential lawsuit for publishers or developers who fail to recognize this. Malware attacks are becoming more common through remote code execution, therefore the applications created should ideally be checked by ethical hackers who specializes in mobile apps.