According to experts from the International Institute of Cyber Security (IICS), the best ethical hacking institute, the Chinese company Xiaomi has corrected a security vulnerability in Guard Provider, the security app preinstalled in its latest smartphone models.
According to reports, this vulnerability would
have allowed threat actors to inject traffic to Guard Provider, executing
arbitrary code to take control of the device, install malware, or steal victims’
sensitive information.
The experts from the best ethical hacking
institute mentioned that the vulnerability exists due to a flaw in the design
of the Xiaomi application. Guard Provider includes three different antiviruses
for its operation: Avast, AVL and Tencent. The three antiviruses, as well as
the application itself, come with different coding libraries (SDK) that each
one uses to drive different functions.
According to the best ethical hacking institute,
the interactions between Avast SDK and AVL SDK have exposed a way to run code
on a Xiaomi smartphone. The vulnerability could have had a reduced impact, but
because traffic entering and leaving Xiaomi Guard Provider is not encrypted, a
threat actor capable of compromising the victim’s web traffic could have taken
control of a device.
Cybersecurity specialists believe that these
kinds of vulnerabilities expose how dangerous the practice of using more than
one SDK for a single application. “Minor flaws in each SDK can be treated
independently, however, when multiple SDK deployments are used in the same
application, critical vulnerabilities are likely to be generated,” experts
noted.
This vulnerability should cause concern among
users of smart devices. A recent study found that, on average, an Android app
has 18 different SDK’s. Such a high number of SDKs interacting with each other
in the code of an application could generate serious security vulnerabilities
without the developers being able to even detect them.
In addition, this study has shown the lack of
security and privacy that abound in preinstalled applications of smart devices
because, in most cases, these contain security failures, malware or have
permissions too invasive to access user activity.
