Juan Garzon/CNET

One of China's largest phone makers had a glaring security flaw that hackers could pounce on, researchers said.

On Thursday, Check Point security researchers disclosed a vulnerability with Xiaomi phones, stemming from its preinstalled Guard Provider app. The app is intended to be a security feature, with three antivirus programs packed inside to detect malware. The antivirus scanners come from Avast, AVL and Tencent.

But the security feature introduced a vulnerability, according to Check Point researcher Slava Makkaveev.

Guard Provider gets its updates through an unsecured HTTP connection, he said. This means that if an attacker was on the same Wi-Fi network as a potential victim, the hacker could insert malware in those updates through a "man-in-the-middle attack." That's when a rogue network is set up to look exactly like the one you're connected to and tricks the victim's device into connecting to the fake Wi-Fi.

Check Point said it's disclosed this vulnerability to Xiaomi, and that the phone maker has released a patch to fix the flaw.

"Xiaomi is aware of this and [has] already worked with our partner Avast to fix it," a Xiaomi spokeswoman said in a statement.

Xiaomi phones are some of the most popular devices in China, and the company boasts its own foldable phones and high-end gaming phones. The company's handsets ranked as the fourth most-shipped phones in the world, according to its quarterly earnings report from December. Xiaomi said it sold about 118.7 million phones in 2018.

Preventing vulnerabilities on your phone is hard already, with people having to watch out for hundreds of thousands of bad apps every year. When the security flaw comes preinstalled, it creates a new challenge as millions of people are exposed to an attack from the moment they boot up their devices.

Phones are also attractive targets for hackers because they carry sensitive information like your location, photos, messages and contacts. Malware is appearing more frequently on phones. And with this vulnerability on Xiaomi devices, an attacker had plenty of options, Check Point said.

Using the vulnerability, a hacker could've interrupted Guard Provider's update process and added malware that would steal data, install tracking apps or plant ransomware, Makkaveev said. The attacker would have to time this to when the updates are happening and also know the file name of the update -- which is not difficult to figure out because they follow a template, said Yaniv Balmas, Check Point's head of research.

"It's supposed to secure you, and it does the exact opposite," Balmas said. "It leaves a backdoor that could completely compromise my phone."

Check Point confirmed that Xiaomi has fixed the issue, but if you're concerned about vulnerabilities like this, you should be wary of public Wi-Fi networks because an attack requires people to be on the same Wi-Fi network as the hackers.



Originally published at 6:00 a.m. PT.

Update, 6:21 a.m.: To include more details from Check Point.