Beijing-headquartered Xiaomi Corporation is the fourth largest mobile vendor worldwide, possessing 7.5% of the global market share. Only Samsung, Apple and Huawei boast a larger market share, according to StatCounter.
Check Point researchers discovered the flaw in Xiaomi’s pre-installed security app “Guard Provider,” designed to protect the phone by detecting malware, which actually exposes the user to data theft, ransomware, tracking and malware.
The company has already disclosed the vulnerability to Xiaomi, which has since released a patch to fix the threat.
The vulnerability enabled hackers to connect to the same Wi-Fi network as the Xiaomi user and carry out a Man-in-the-Middle attack, whereby a hacker can track communication between a device and a server.
Once inside, via a third-party Software Development Kit update, that actor could then disable malware protections and inject rogue code to steal data, implant ransomware or tracking, or install any other kind of malware.
“It is completely understandable that users would put their trust in smartphone manufacturers’ pre-installed apps, especially when those apps claim to protect the phone itself,” said researchers at Check Point in a statement.
“This vulnerability discovered in Xiaomi’s ‘Guard Provider’, however, raises the worrying question of who is guarding the guardian. And although the guardian should not necessarily need guarding, clearly when it comes to how apps are developed, even those built in by the smartphone vendor, one cannot be too careful.”
In January, Check Point researchers also identified vulnerabilities potentially granting hackers access to personal information belonging to nearly 80 million players of popular online video game Fortnite.
The vulnerabilities, if exploited, would have enabled full access to a user’s account and their personal information, including purchasing in-game currency using their payment card details, as well as listening to in-game chatter and surrounding sounds and conversations within the user’s home or playing location.
Check Point notified Fortnite developer Epic Games of the vulnerability, which has since been fixed, but warned users to always remain vigilant when exchanging information digitally and to question the legitimacy of links to information seen on user forums and websites.