Phone security application vulnerabilities compromises devices

On April 4, 2019 researchers at Check Point Research found vulnerabilities in the preinstalled security app, Guard Provider, that affects devices from Xiaomi phones. Xiaomi is the third largest mobile phone vendor in the world, behind Samsung and Apple, affecting up to 150 million devices manufactured and distributed by Xiaomi. This vulnerability would allow a malicious actor to disable malware protections, inject rogue code, or other malware onto a victim’s device.

The Vulnerability

The vulnerability in the Guard Provider application exists because of the way that Guard Provider was designed. The application allows users to choose between three 3rd-party antivirus brands: Avast, AVL, and Tencent. This means that the application is designed with three different Software Development Kits (SDKs), all of which have similar access to application permissions. This means that a vulnerability in one SDK could potentially affect the functionality of other SDKs, if exploited. This also means that data between SDKs cannot be isolated from another because of its implementation: the three SDKs exist on the same application environment, and would therefore have access to the same resources.

Avast updates its virus database through downloading an android application package (APK) to the following directory in Guard Provider: /data/data/com.miui.guardprovider/app_dex/vps_update_<timestamp>.apk

Updating is done through an unsecured hypertext transport protocol (HTTP) connection. This means that a malicious actor using a Man in the Middle (MiTM) attack can intercept update requests, and respond with a “404 error”, indicating that the server could be reached but the content requested is unavailable. Note that the APK is timestamped according to download time, and thus makes the name easy to predict.

AVL updates virus signatures through requesting a configuration file. This configuration file is in plaintext: it includes the URL, size, and message-digest (MD)5 hash of the ZIP file with the signatures. Once the configuration file is downloaded, the signatures are downloaded from the provided update URL. A malicious user can intercept and modify configuration files, since they are transported in a non-secure way, and point users to a crafted ZIP file. This ZIP file written in a way that exploits a path-traversal vulnerability that allows a malicious actor to overwrite any file in the application’s sandbox: this affects the other SDKs, as they have a shared environment within Guard Provider. By overwriting the Avast APK, which had already been verified and scanned by the antivirus, a malicious file may be disguised as trusted–allowing for arbitrary code execution at the scope allowed by the Avast APK.

A malicious user can conduct the following attack, requiring certain user interaction:

1. Intercept and block Avast update requests
2. Learn existing Avast APK name
3. Force user to switch to AVL (because failed updates on Avast)
4. Intercept and inject malicious update URL
5. User runs malicious ZIP that rewrites Avast APK
6. User eventually runs malicious Avast APK, compromising machine in some way

Besides this complex attack vector, users of Guard Provider may also be denied security updates, as they can be identified through plaintext traffic by a malicious actor performing a MiTM attack.

Impact

Xiaomi is the third largest mobile phone vendor in the world, behind Samsung and Apple. Thus, this issue affects a large amount of mobile phone users: up to 150 million devices manufactured and distributed by Xiaomi. If an application is intended to secure a device, it is important for a user to be able to trust that system. Most users rely and utilize security practices only if it is convenient. Thus, securing a preinstalled, vendor application is important to protecting the tech landscape, similar to vaccination. If a device that is compromised is placed within a border of trust, it has potential to impact devices that are not compromised.

Trusting a supplier

There is an expectation that if a device is bought through a vendor, such as Cisco, it will be a secure device. Tech vendors have a duty to providing customers with a device that fulfills the functionality that is promised, and must continue to support devices through patches to secure vulnerabilities as they are found. All devices, software, and services have vulnerabilities both undiscovered and known.

While this vulnerability is not intentional, foreign companies have a bad track record of including intentional vulnerabilities–or spying capabilities–onto devices. This can be seen with Lenovo in 2015 with spyware on laptops, and most recently in late 2018 when Supermicro servers and chips had a physical means to exploit devices after they left the supply chain. While I am not saying that foreign companies are inherently bad, it may be smart to caution purchases based on significant events.

Mitigation

Xiaomi has released patches for the vulnerabilities found by Check Point Researchers, so it is recommended to update Guard Provider. One may also consider the tactic of hardening their phone system by removing unneeded applications. The idea behind hardening a system is to remove unnecessary services or applications. Each application is bound to have vulnerabilities both undiscovered, and known. Therefore, it is imperative to minimize the applications, and as a developer SDKs, that are on your system.

Sources

http://gs.statcounter.com/vendor-market-share/mobile/worldwide/2018

https://research.checkpoint.com/vulnerability-in-xiaomi-pre-installed-security-app/

https://thehackernews.com/2019/04/xiaomi-antivirus-app.html

https://thehackernews.com/2015/09/lenovo-laptop-virus.html

https://www.pcmag.com/news/364262/does-your-motherboard-have-a-secret-chinese-spy-chip

https://techterms.com/definition/systemhardening

https://www.lifewire.com/404-not-found-error-explained-2622936