Xiaomi GuardProvider (com.miui.guardprovider) built-in app downloads virus database updates over an insecure HTTP connection.
A MITM proxy allows an attacker to replace AVL archive files and, using the path-traversal vulnerability in the Zip decryptor, overwrite any file in the app’s sandbox directory.
An attacker can replace the Avast database APK file stored in the app’s internal directory, leading to code execution.