Preinstalled apps on mobile phones can be just as annoying as crapware found on new PCs. Now a report from security experts at Check Point Research suggest those preinstalled mobile apps may be more than just annoying – they can also be a security risk.

Check Point found that a security app called Guard Provider was being preinstalled on top-phone maker Xiaomi handsets. Instead of guarding the mobile phones, the app had a gaping security hole that opened users up to man-in-the-middle attacks. Worse, the app was baked into the phone maker’s forked version of the Android operating system, and couldn’t be removed.

China-based Xiaomi ranks as the world’s no. 4 phone maker behind Samsung, Apple and Huawei. Its phones dominate India’s handset market and have scant sales in the U.S. via online retailers such as Amazon and B&H Foto & Electronics.

“Due to the unsecured nature of the network traffic to and from Guard Provider and the use of multiple SDKs within the same app, a threat actor could connect to the same Wi-Fi network as the victim and carry out a man-in-the-middle (MiTM) attack,” Check Point wrote in a post on Thursday.

The vulnerability ties back to the way multiple SDKs are used by the app to communicate, allowing an attacker to inject rogue code. For example, a successful exploit could allow an adversary to steal passwords, plant ransomware or install some to type of stalker-ware onto targeted phones.

Not Just a Xiaomi Problem

The problem of preinstalled and potentially harmful applications (PHAs) is not unique to Xiaomi, according to a recent report from Google. In its Android Security and Privacy Year in Review 2018, released April 1, Google reported an uptick in Android devices with preinstalled PHAs. It also noted PHAs are increasingly bundled with system updates.

“Malicious actors increased their efforts to embed PHAs into the supply chain using two main entry points: new devices sold with pre-installed PHAs and over the air (OTA) updates that bundle legitimate system updates with PHAs,” wrote Google.

Digging into the Xiaomi Flaws

In the case of Xiaomi and Guard Provider, Check Point said there was no malicious intent by the app maker. Instead, researchers blame “SDK Fatigue” on the MiTM flaw. They explain, mobile SDKs have helped developers by removing the need to spend time writing code and developing back-end stability for functionalities unrelated to the core of their app.

“But as more and more third party code is added to the app, the effort around keeping its production environment stable, protecting user data and controlling the performance gets much more complicated,” researchers wrote. “[The] use of multiple SDKs within the same app makes the app more susceptible to problems such as crashes, viruses, malwares, privacy breaches, battery drain, slowdown, and many other problems.”

Check Point cites a 2018 report by SafeDK that revealed on average a single app now has over 18 SDKs implemented.

“The hidden disadvantages in using several SDKs within the same app lie in the fact that they all share the app context and permissions,” researchers said. They said when multiple SDKs are used, if a flaw is present in one, all other SDKs would be compromised. They added the problem is also that “private storage data of one SDK cannot be isolated and can therefore be accessed by another SDK.”

Check Point did not make a technical description of the MiTM vulnerability in Guard Provider available in time for this report.