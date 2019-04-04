Juan Garzon/CNET

One of China's largest phone makers had a glaring security flaw for hackers to pounce on, researchers said.

On Thursday, security researchers from Check Point disclosed a vulnerability with Xiaomi's phones, stemming from its preinstalled Guard Provider app. The app is intended to be a security feature -- with three antivirus programs packed inside to detect malware. Those antivirus scanners included Avast, AVL and Tencent.

But the security feature introduced a vulnerability, Check Point researcher Slava Makkaveev said.

Guard Provider gets its updates through an unsecured HTTP connection, he said. That means that if a potential attacker was on the same Wi-Fi network, the hacker could insert malware in those updates through a "man-in-the-middle attack." That's when a rogue network is set up to look exactly like the one you're connected to, and tricks the victim's device into connecting to the fake Wi-Fi.

Check Point said it's disclosed this vulnerability to Xiaomi, and that the phone maker has released a patch to fix the flaw.

"Xiaomi is aware of this and have already worked with our partner Avast to fix it," a company spokeswoman said in a statement.

Xiaomi phones are some of the most popular devices in China, as the company boasts its own foldable phones and high-end gaming phones. The company's handsets ranked as the fourth most shipped phones in the world, according to its quarterly earnings report last December. Xiaomi said it sold about 118.7 million phones in 2018.

Preventing vulnerabilities on your phone is hard enough as it is, with people having to watch out for hundreds of thousands of bad apps every year. When the security flaw comes preinstalled, it creates a new challenge as millions of people are exposed to an attack from the moment they boot up their device.

Phones are also attractive targets for hackers, carrying sensitive information like your location, photos, messages and contacts. Malware is appearing more frequently on phones, and with this vulnerability on Xiaomi devices, an attacker had plenty of options, Check Point said.

Using the vulnerability, a potential hacker could've interrupted Guard Provider's update process and added malware that would steal data, install tracking apps or plant ransomware, Makkaveev said.

Check Point said Xiaomi has since fixed the issue, but if you're concerned about vulnerabilities like this, you should be wary of public Wi-Fi networks. The attack required people to be on the same Wi-Fi network as the hackers.