Xiaomi phones with MIUI shipped with a vulnerable app: Report
It provided attacks an option to target device with MiTM attack.
The vulnerability has now been patched.
According to a cybersecurity company, the Guard Provider app exposes its users to a Man-in-the-Middle (MiTM) attack. The vulnerability has already been patched.
Make your home smarter than the average home
Make your life smarter, simpler, and more convenient with IoT enabled TVs, speakers, fans, bulbs, locks and more.
Click here to know more
OEMs are working hard to secure users' phones by pre-installing security apps. It becomes a matter of safety when it is because of these apps that users are exposed to cyberattack. Check Point research has claimed that it has found a vulnerability in the Guard Provider app, which comes pre-installed in Xiaomi phones with MIUI OS. The firm claims that this app can help an attacker to inject a rogue code to steal or track data, or even implant malware in the device.
The Israel-based company says that because of the “unsecured nature of the network traffic to and from Guard Provider,” a threat actor could connect to the same Wi-Fi network as the victim and carry out a Man-in-the-Middle (MiTM) attack - a type of eavesdropping attack that is carried out by disabling malware protections and typing in a code to steal data or insert ransomware. It says that when the firm disclosed the vulnerability to Xiaomi, “it released a patch shortly after.”
What is the vulnerability?
The Guard Provider app uses several third-party Software Development Kits (SDKs) as part of the security service it offers. The app includes three different antivirus built-in: Avast, AVL and Tencent. Users have the freedom of selecting any one of three providers as the default Anti-Virus engine to scan the device. When that anti-virus downloads the update, the hacker intercepts the network traffic via an MiTM attack and inject rogue code as part of a third-party SDK update.
Not only does the attacker target the chosen app to secure the device, it also infects the other two providers as well. This is due to the hidden disadvantages in using several SDKs within the same app. A problem in one SDK compromises the protection of all others, and the private storage data of one SDK cannot be isolated and can therefore be accessed by another SDK. “While minor bugs in each individual SDK can be often be a standalone issue, when multiple SDKs are implemented within the same app it is likely that even more critical vulnerabilities will not be far off,” Check Point said.
With a 14.5 percent year-on-year (YoY) growth as compared to 2017, the Indian smartphone market saw 142.3 million units shipped in the Calendar Year 2018, International Data Corporation’s (IDC) Asia/Pacific Quarterly Mobile Phone Tracker said earlier this year. According to the firm, Xiaomi topped the list by capturing 28.9 percent market share and shipping a total of 41.1 million devices last year.
Xiaomi also grew 28.6 percent YoY in the fourth quarter of 2018 because of its affordable Redmi series devices and offline expansion with opening of rural stores. Xiaomi’s Redmi 5A and Redmi Note 5/Pro series emerged as the fastest selling devices of 2018 with 10 million shipments each in the full year. The brand also led in the online channel with a share of 47.2 percent.
Digit caters to the largest community of tech buyers, users and enthusiasts in India. The all new Digit in continues the legacy of Thinkdigit.com as one of the largest portals in India committed to technology users and buyers. Digit is also one of the most trusted names when it comes to technology reviews and buying advice and is home to the Digit Test Lab, India's most proficient center for testing and reviewing technology products.
We are about leadership-the 9.9 kind! Building a leading media company out of India.And,grooming new leaders for this promising industry.