Xiaomi smartphones may have been affected by a serious security flaw hidden in a pre-installed mobile app, researchers have claimed.
Experts from Check Point Research said they discovered a vulnerability in an app bundled on Xiaomi devices that could have let hackers hijack smartphones and inject malware.
China’s Xiaomi has enjoyed huge success in recent years to become the third-largest mobile vendor in the world, meaning millions of users may have been affected.
The flaw was found within the pre-installed Guard Provider security app, ironically designed to prevent a device being infected by malware, and an app that is not able to be deleted by the user.
Check Point says that Guard Provider uses several third-party Software Development Kits (SDKs), including three different antivirus brands built that the user can choose from to protect their phone: Avast, AVL and Tencent.
However, due to the unsecured nature of the network traffic to and from the Guard Provider app and the use of multiple SDKs within the same app, a threat actor could connect to the same Wi-Fi network as the victim and carry out a Man-in-the-Middle (MiTM) attack to inject malicious code such as password stealing, ransomware, tracking or any other kind of malware, onto the device.
Check Point says that it notified Xiaomi of the threat immediately, and the vendor has now issued a patch for the flaw, but advises users to utilise mobile security software that is able to protect against such MiTM attacks.