Microsoft has discovered a vulnerability in the operation of several popular Android applications. The security flaw, dubbed “Dirty stream” by researchers, allows a malicious application to contact and trap certain applications legitimate.
Also read: This Android malware disappears after siphoning data from your smartphone
A flaw in the way Android apps communicate
The cyberattack relies on Android’s content provider, a crucial component that acts as an intermediary and facilitates secure sharing and access of data between different applications and services. This component includes a permissions system. Improperly configured, these permissions allow you to bypass the operating system’s security mechanisms. As Microsoft explains, a “bad implementation” from the supplier “may introduce vulnerabilities that could allow bypassing read/write restrictions in an application’s home directory”.
Concretely, the flaw allows a malicious application to transmit a File with a manipulated name or path to another application. The target application receives the file and trusts the misleading name or path. It then executes or stores the malicious file in a critical directory.
Microsoft report says breach leaves attacker “overwrite files in vulnerable application’s home directory”. Once this is done, the malicious application is able toexecute code arbitrarily and get “total control over the behavior of an application”. Furthermore, the hacker can grant himself “access to user accounts and sensitive data” stored on the smartphone.
Which Android apps are affected by Dirty Stream?
Microsoft has identified several apps vulnerable to a “Dirty stream” attack on the Play Store. These applications combine more than four billion installations. Among the affected apps are File Manager, Xiaomi’s file manager, and WPS Office, an office suite designed by the Chinese company Kingsoft. Alerted by Microsoft, Xiaomi and Kingsoft have deployed patches.
In Microsoft’s opinion, the “vulnerability model” of “Dirty stream” may end up in the code of several other Android applications. This is why the American group encourages “Developers and publishers to check their apps for similar issues”.
Google reviews its guidelines
In response, Google updated its security guidelines for Android application developers. These guidelines aim to prevent the appearance of vulnerabilities in the operation of the content provider of Android applications. They are based directly on the findings of Microsoft researchers.
Google especially recommends“ignore file name” provided by the communicating application and“use its own internally generated unique identifier as the file name instead”. This precaution cuts the ground from under the feet of possible attackers. For Microsoft, the best solution remains to opt for “randomly generated names, so that even in the case where the content of an incoming stream is malformed, it will not corrupt the application”.
-
-
