A Vulnerability in Xiaomi's Guard Provider App Could Expose Devices to Malware
Many people assume that the only thing they need to do to protect their devices is to install some sort of security software. They tend to view anti-malware products as a panacea that can guarantee the safety of their data. This, as we'll find out today, is a completely wrong assumption.
Like many other Android device manufacturers, Xiaomi sells its tablets and phones with a few preinstalled applications and tools. Among them is Guard Provider – a security application that can scan the device for malware, clear unwanted information, and improve the system's performance. Recently, Check Point researchers found a vulnerability in Guard Provider that, if exploited, can cause quite a lot of headaches. Let's see how it works.
Multiple SDKs for additional functionality and greater risk
Xiaomi, as you probably know, is not renowned for its anti-malware products, which meant that when it was putting together the Guard Provider application, the Chinese phone maker needed to implement the scanning and detection functionality of a third-party. Instead of using just one security vendor, however, Xiaomi's developers decided to give users the freedom to pick the AV company they trust the most. Xiaomi owners can choose between Avast, AVL, and Tencent which means that three separate Software Development Kits (or SDKs) have been implemented into the Guard Provider application.
An SDK is a collection of tools designed to create applications for a specific operating system. Although we're talking about one and the same OS in this case (Android) the different AV vendors used different SDKs for their scanners which meant that Xiaomi had no other choice but to implement all three of them.
This, in and of itself, is not uncommon at all, but as Check Point pointed out, it does bring additional risk, like for example, the fact that SDKs work in the same environment and can access the same data. As a result, compromising the protection of one SDK can completely ruin the security of the entire application. Couple this with an unsecured connection, and you end up with a rather plausible exploit scenario.
Exploiting Xiaomi's Guard Provider
Guard Provider is a product with AV functionality which means that there must be a mechanism for regularly updating the app's virus definitions. One of the first things Check Point's experts noticed when they took the application apart was that the SDKs from Avast and AVL update their definitions through HTTP rather than HTTPS. This automatically means that a Man-in-the-Middle scenario is possible if the hackers and the victim are connected to the same Wi-Fi network.
Thanks to this, the attackers can predict when Avast's SDK will try to update its definitions. Updated definitions are downloaded as APK files and include a timestamp in the file name. After they've figured out what the next timestamp will be, the hackers need to disable Avast and make AVL the default antivirus. Because they are still "in the middle", doing this is as simple as giving the Avast SDK a 404 error when it tries to connect to its backend. Guard Provider automatically switches to AVL which concludes the first stage of the attack.
As soon as AVL becomes the antivirus of choice, it connects to its backend and downloads a configuration file which tells the SDK where it can find available updates. Unfortunately, this too is done via HTTP which means that the attackers can change the configuration file, tricking Guard Provider into downloading a crafted ZIP archive that contains a malicious APK file.
The ultimate goal is to trick the AVL SDK into extracting the APK from the archive and, saving it in the correct location, with the correct timestamp, to mask it as an Avast definitions update. Thanks to a path-traversal vulnerability and the fact that multiple SDKs have access to the same data, this is possible.
The final step is to make Guard Provider switch the AV scanner back to Avast which means that Avast's SDK will automatically run the malicious APK file.
Xiaomi has already patched the hole
We're talking about remote code execution. The attackers can put whatever they want into the APK meaning that a potential attack can result in anything from unwanted ads and applications to password theft and even a ransomware infection. It's just as well, then, that the vulnerability has already been patched.
After discovering the security issue, Check Point immediately contacted Xiaomi, and the Chinese phone maker quickly issued a patch. If you haven't already, make sure that you're running Guard Provider's latest version.
The irony that a security product is vulnerable to a cyberattack is not lost on us, but the fact of the matter is, AV software is still software meaning that it inevitably comes with its bugs and holes that can be exploited. When it comes to Android, the issues are particularly nasty.
The attack described above is not that easy to pull off, but other, more trivial threats appear every day, and research suggests that most of the security apps you'll find on Google Play are as good as useless. There isn't a whole lot you can do other than making sure that the security product you're using is real, that the automatic updates are turned on, and that there are no shady applications on your device.