CPRID-1030
Information
Xiaomi Browser (com.android.browser package) built-in app downloads a self-updating APK file to the public accessible storage and installs the APK file after its hash verification.
An attacker can overwrite the file right after verification and lead to an arbitrary app installation.
References:
https://research.checkpoint.com/androids-man-in-the-disk/