Security fail: Pre-installed anti-malware app exposes phone users to MitM attacks

News by Rene Millman

Security researchers have discovered a flaw in the pre-installed security app, 'Guard Provider', which should protect the phone from malware, in smartphones manufacturered by Chinese vendor Xiaomi.

Security researchers have discovered a flaw in one of the preinstalled apps in smartphones manufacturered by Chinese vendor Xiaomi.

According to a blog post by researchers, it was the pre-installed security app, ‘Guard Provider’, "which should protect the phone from malware, which exposes the user to an attack".

Researchers said that due to the unsecured nature of the network traffic to and from Guard Provider and the use of multiple SDKs within the same app, a threat actor could connect to the same Wi-Fi network as the victim and carry out a Man-in-the-Middle (MiTM) attack.

"Due to gaps in communication between the multiple SDKs, the attacker could then inject any rogue code he chooses such as password stealing, ransomware, tracking or any other kind of malware," added researchers.

According to researchers, one of the main problems that caused the flaw was "SDK fatigue".

"This increased use of multiple SDKs within the same app makes the app more susceptible to problems such as crashes, viruses, malwares, privacy breaches, battery drain, slowdown, and many other problems," they said.

There are many disadvantages in using several SDKs within the same app, according to Check Point Software. First, a problem in one SDK would compromise the protection of all the others. Second, the private storage data of one SDK cannot be isolated and can therefore be accessed by another SDK.

Researchers said that according to a recent report, the use of multiple SDKs in a single app is far more common than one might think. On average a single app now has over 18 SDKs implemented within the same app.

"But by doing so, developers leave organisations and users exposed to potential pitfalls that can be exploited by threat actors to interfere with the regular operation of the device," they said.

"Developers and corporations alike need to also be aware that having a secure element combined with another secure element within an app on their phone does not necessarily mean that when these two elements are implemented together that the device as a whole will remain secure."

Researchers concluded that the only defence against these types of hidden and obscure threats is to ensure an organisation’s fleet of mobile devices are protected from potential Man-in-the-Middle attacks.

Tom Davison, EMEA director at Lookout, told SC Media UK that a pre-installed app, just like any other app downloaded from an app store, may present a risk to the user.

"Pre-installed apps can be susceptible to vulnerabilities, may incorporate malicious or insecure SDKs and may handle user data in a way that poses a risk. This could be through over-zealous information gathering, or the use of out-dated encryption protocols. The best way for a user to mitigate the risk is to use a mobile security solution on the device. This will inspect and advise on the risks posed by any application on the device, whether pre-installed or user installed," he said.

Martin Thorpe, enterprise architect for Venafi, told SC Media UK that one of the most important steps in stopping MiTM attacks is for organisations to gain control over all the machine identities on their network and which identities are trusted by which other identities.

"When an organisation manufactures smartphones and puts their own security software on them, then that network includes each and every smartphone that they manufacture. This means automation given the number of machine identities that modern companies are dealing with, which can easily be in the millions," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop