Avast-to-AVL SDK interaction created a dangerous fault in Xiaomi smartphones. Xiaomi patched a security flaw in the Guard Provider, the default security app included on all Xiaomi smartphones.
The vulnerability would allow attackers to inject traffic into the Guard Provider application and put malicious commands that allow a threat actor to execute malicious code to take over your phone, install malware, or steal user data.
CAUSED BUG BETWEEN TWO SDKS
The core of this problem is the design of the app. The Xiaomi Guard Provider app consists of three different antivirus brands that users can select and maintain as the default antivirus. The 3 are respectively Avast, AVL, and Tencent.
The app and the three antivIRUs products each come with different code libraries (SDKs) that are used to power different functions.
Check Point said two of the SDK interactions— the Avast SDK and the AVL SDK — exposed a way to run code on Xiaomi devices. That flaw would have had little effect. However, because the traffic from the Xiaomi Guard Provider had been unencoded, any attacker in a position to inject the victim’s web traffic could have effectively taken over the victim’s telephone. It includes man-in – the-middle attack scenarios, such as router malware, bogus ISPs, any “evil access points” scenario.
“The above scenario also shows the dangers of multiple SDKs being used within an app,” said Slava Makkaveev, Security Researcher at Check Point. “Although minor bugs in each SDK can often be an individual problem, it is likely that even more critical vulnerabilities aren’t far away when multiple SDKs are applied within the same application.”
The average number of mobile SDKs embedded in an app was approximately 18 from a 2018 study on the Android app ecosystem. With so many SDKs interacting with each other in a codebase app, app makers never know how these libraries can combine to produce super-bugs developers.
A study paper published last month found the Android ecosystem of pre-installed apps to be full of confidentiality and security, with many pre-installed apps containing security flaws, malware, and harvesting large volumes of user data without allowing users to opt-out or unlock offending apps.