ANDROID owners have been warned about an invisible attack that could wipe out accounts before you even realize it.
Microsoft researchers have discovered many recently Android apps can be vulnerable to remote attacks, data theft and other problems due to a common security problem.
At least four of the apps affected countries each have more than 500 million installations.
And one, Xiaomi's File Manager, has at least 1 billion installs from Android users.
The issue that Microsoft discovered affects Android applications that share files with other applications.
It is known as “Dirty Stream”. malicious apps to send a file with a manipulated filename or path to another app.
This gives attackers the opportunity to create a rogue app that can send a file with a malicious filename directly to a receiving app without the user's knowledge or approval.
Typical file sharing targets include email clients, messaging apps, network apps, browsers, and file editors.
When a share target receives a malicious filename, it uses the filename to trigger a process that may end up with the app gets compromisedsaid Microsoft.
The target app is tricked into trusting the file name or path and executes the file or saves it to a critical folder.
This manipulation of the data flow between two Android apps turns a common function into a weaponized tool.
The potential impact will vary depending on the specifics of an Android application.
In some cases, an attacker can use a malicious app to override the settings of a receiving app and cause it to communicate with a server controlled by the attacker, or to share the user's authentication tokens and other data.
Microsoft has now informed Googling's Android security research team of the issue.
And the Silicon Valley tech giants have now published new guidelines for Android app developers on how to spot and fix the problem.
Microsoft researcher Dimitrios Valsamaras noted that these incorrect implementations are unfortunately widespread among Android users.
“We identified several vulnerable applications in the Google Play Store that accounted for more than four billion installs,” the report said.
It adds: “We expect the vulnerability pattern can be found in other applications.
“We are sharing this research so that developers and publishers can monitor their apps for similar issues, fix them if necessary, and prevent such vulnerabilities from being introduced in new apps or releases.”
Two apps particularly vulnerable to Dirty Stream attacks are Xiaomi's File Manager application and WPS Office, Microsoft says.
Microsoft said suppliers of both products have already resolved the issue.
But it believes that there are more apps that are fallible to exploit and compromise due to the same security weakness.
Must-have Android tips to boost your phone
Get the most out of your Android smartphone with these little-known hacks:
We expect the vulnerability pattern can also be found in other applications,” Microsoft's Threat Intelligence team said in a blog post this week.
“We are sharing this research so that developers and publishers can monitor their apps for similar issues, fix them if necessary, and prevent such vulnerabilities from being introduced in new apps or releases.”
Microsoft's findings were shared with the Android developer community.
If you are an Android user, make sure you keep the apps you use up to date to minimize the risks.
Users should also avoid downloading APKs from unofficial third-party app stores and other poorly monitored sources.