Xiaomi mobile app hid major security flaw

News
By published

Security researchers uncover vulnerability in pre-installed app

(Image credit: Xiaomi) (Image credit: Xiaomi)

Xiaomi smartphones may have been affected by a serious security flaw hidden in a pre-installed mobile app, researchers have claimed.

Experts from Check Point Research said they discovered a vulnerability in an app bundled on Xiaomi devices that could have let hackers hijack smartphones and inject malware.

China's Xiaomi has enjoyed huge success in recent years to become the third-largest mobile vendor in the world, meaning millions of users may have been affected.

Insecure

The flaw was found within the pre-installed Guard Provider security app, ironically designed to prevent a device being infected by malware, and an app that is not able to be deleted by the user.

Check Point says that Guard Provider uses several third-party Software Development Kits (SDKs), including three different antivirus brands built that the user can choose from to protect their phone: Avast, AVL and Tencent. 

However, due to the unsecured nature of the network traffic to and from the Guard Provider app and the use of multiple SDKs within the same app, a threat actor could connect to the same Wi-Fi network as the victim and carry out a Man-in-the-Middle (MiTM) attack to inject malicious code such as password stealing, ransomware, tracking or any other kind of malware, onto the device.  

Check Point says that it notified Xiaomi of the threat immediately, and the vendor has now issued a patch for the flaw, but advises users to utilise mobile security software that is able to protect against such MiTM attacks.

In a statement, an Avast spokesperson said, "The attack scenario involving Xiaomi's 'Guard Provider', as described by Check Point in recent research, is proof-of-concept, and would be extremely complex - therefore highly unlikely - to happen in reality." 

"Avast is working with mobile partners, including Xiaomi, to further harden the security around Avast SDKs as a precaution and to reassure users that they are safe.""

Mike Moore
Mike Moore
Deputy Editor, TechRadar Pro

Mike Moore is Deputy Editor at TechRadar Pro. He has worked as a B2B and B2C tech journalist for nearly a decade, including at one of the UK's leading national newspapers and fellow Future title ITProPortal, and when he's not keeping track of all the latest enterprise and workplace trends, can most likely be found watching, following or taking part in some kind of sport.

Latest in Security
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
UK Prime Minister Sir Kier Starmer
The UK releases timeline for migration to post-quantum cryptography
Image depicting a hand on a scanner
Hackers are targeting unpatched ServiceNow instances that exploit 3 separate year-old vulnerabilities
ransomware avast
Ransomware attacks are costing Government offices a month of downtime on average
Lock on Laptop Screen
Data breach at Pennsylvania education union potentially exposes 500,000 victims
Latest in News
Seth Milchick and Kier Eagan's animatronic speaking in Severance season 2 episode 10
Apple TV+ announces Severance has been renewed for season 3 after that devastating finale
Apple's Craig Federighi presenting customization options in iOS 18 at the Worldwide Developers Conference (WWDC) 2024.
iOS 19: new features, a new design, and everything you need to know
Spotify's new Concerts Near You playlist feature showing a list of songs by local touring artists
Spotify has launched a new Concerts Near You playlist, making it easier for you to see if your favorite artists are performing in your area
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
The new Dr. Squatch Call of Duty collection.
Latest Call of Duty collaboration finally lets you rub your body with Soap - and I can't believe I just wrote that
Samsung S95D with peacock feather on screen
Samsung says an OLED-beating new screen tech could come sooner than we thought – but I wouldn't expect it in 4K TVs right away
More about security
An image of network security icons for a network encircling a digital blue earth.

US government warns agencies to make sure their backups are safe from NAKIVO security issue
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol

Veeam urges users to patch security issues which could allow backup hacks
Apple's Craig Federighi presenting customization options in iOS 18 at the Worldwide Developers Conference (WWDC) 2024.

iOS 19: new features, a new design, and everything you need to know
See more latest
Most Popular
Apple's Craig Federighi presenting customization options in iOS 18 at the Worldwide Developers Conference (WWDC) 2024.
iOS 19: new features, a new design, and everything you need to know
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
A person working on a laptop outside.
HP's new built-in eSIM lets you stay connected to the internet, even without Wi-Fi
A pair of Lenovo Legion Go S models on a desk
Finally, the more powerful Lenovo Legion Go S model has a release date - but the price is a gut punch
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
SluTune Q1 Bluetooth speaker
I love this super-slim, sleep-friendly Bluetooth speaker – but the name's a nightmare
Samsung S95D with peacock feather on screen
Samsung says an OLED-beating new screen tech could come sooner than we thought – but I wouldn't expect it in 4K TVs right away
Google AI
A powerful new AI tool is coming to Chromebooks to vastly increase productivity
A close up of Gemma Scout in Severance's season 2 finale
'They only told me': Severance actor Dichen Lachman reveals how long she's known about Cold Harbor's true purpose in the Apple TV+ show
Seth Milchick and Kier Eagan's animatronic speaking in Severance season 2 episode 10
Apple TV+ announces Severance has been renewed for season 3 after that devastating finale