GENERALLY, YOU EXPECT security software to keep you safe, especially when it comes bundled with your handset and not from a dodgy Google Play Store provider. Xiaomi, the world's fourth-largest phone manufacturer, has just had to patch a vulnerability in its own preinstalled Guard Provider app which would leave handsets open to man-in-the-middle attacks.
Guard Provider is actually a delicious blend of three different legitimate antivirus apps - a heady cocktail of Avast, AVL and Tencent - but the way it would update was distinctly insecure. As Check Point researcher Slava Makkaveev revealed, Guard Provider would update via an unsecured HTTP connection, meaning a hacker could trick the phone into thinking it was the server.
"Then, as part of a third-party SDK update, he could disable malware protections and inject any rogue code he chooses such to steal data, implant ransomware or tracking or install any other kind of malware," Makkaveev writes.
Makkaveev was also somewhat dubious about the merits of bundling three antivirus solutions in a single app. Although the user picks which one they want to use when they start up, putting them all under the same roof means a small vulnerability can suddenly become a large one.
Not only that, but "the private storage data of one SDK cannot be isolated and can therefore be accessed by another SDK."
But leaving aside possible risks of the format, for now Guard Provider is patched. A Xiaomi spokesperson said that the company is "aware of this and [has] already worked with our partner Avast to fix it."
At the end of the blog post explaining the vulnerability, Makkaveev highlights that Check Point's own mobile AV software - SandBlast Mobile - would have detected the initial man-in-the-middle attack, eliminating the risk. Always be hustlin', Check Point. µ
It's the week in Google news
Erik Estrada wouldn't have stood for this
Hacks in support of WikiLeaks founder target gov websites