In a blog post, Check Point researcher Slava Makkaveev said the attacker could then use a third-party SDK update to disable malware protections and inject any rogue data to steal data, implant ransomware or tracking code. Other malware could also be installed.
Guard Provider is available on all mainstream Xiaomi phones and uses several third-party software development kits as party of the security service it offers. There are three anti-virus brands from among which the user can use: Avast, AVL and Tencent.
Makkaveev said there were disadvantages in using several SDKs within the same app. "Because they all share the app context and permissions, a problem in one SDK would compromise the protection of all the others and the private storage data of one SDK cannot be isolated and can therefore be accessed by another SDK," he noted.
"And although the guardian should not necessarily need guarding, clearly when it comes to how apps are developed, even those built in by the smartphone vendor, one cannot be too careful," he said.
This attack scenario also illustrated the dangers of using multiple SDKs in one app. "While minor bugs in each individual SDK can be often be a standalone issue, when multiple SDKs are implemented within the same app it is likely that even more critical vulnerabilities will not be far off," Makkaveev said.