Edgar Cervantes / Android Authority
TL; DR
- Microsoft has discovered a security vulnerability affecting Android apps called 'Dirty Stream'.
- This allows attackers to execute malicious code in popular apps, potentially leading to data theft.
- The flaw is widespread, with Microsoft identifying vulnerable apps that have billions of combined installs.
Microsoft has exposed a critical security loophole that could impact countless people Android applications. This vulnerability, called 'Dirty Stream', poses a serious threat that could give someone the ability to take control of apps and steal valuable user information. (h/t: Beeping computer)
At the heart of the 'Dirty Stream' vulnerability lies the ability for malicious Android apps to manipulate and abuse Android's content provider system. This system is typically designed to enable secure data exchange between different applications on a device. It includes safeguards such as strict isolation of data, the use of permissions tied to specific URIs (Uniform Resource Identifiers), and thorough validation of file paths to deter unauthorized access.
However, careless implementation of this system can open the door to exploitation. Microsoft researchers found that improper use of “custom intents” – the messaging system that allows components of Android apps to communicate – can expose sensitive parts of an app. For example, vulnerable apps may fail to adequately check file names or paths, giving a malicious app the opportunity to sneak in malicious code camouflaged as legitimate files.
What is the threat?
By exploiting the Dirty Stream flaw, an attacker can trick a vulnerable app into overwriting critical files in private storage. Such an attack scenario could result in the attacker taking full control over the app's behavior, gaining unauthorized access to sensitive user data, or intercepting private login credentials.
Microsoft's investigation revealed that this vulnerability is not an isolated issue, as the investigation reveals incorrect implementations of the content provider system in many popular Android apps. Two notable examples are Xiaomi's File Manager application, which has over a billion installs, and WPS Office, which has approximately 500 million installs.
Highlighting the staggering number of devices at risk, Microsoft researcher Dimitrios Valsamaras said: “We identified several vulnerable applications in the Google Play Store representing more than four billion installations.”
Microsoft has been proactively sharing its discoveries, alerting developers to potentially vulnerable apps and working with them to implement fixes. Both companies mentioned above immediately acknowledged the identified issues in their software.
Additionally, Google has taken steps to prevent similar vulnerabilities in the future by updating its app security guidelines, now placing additional emphasis on exploitable common design flaws from content providers.
What can Android users do?
While developers do their best to find and patch vulnerable apps, Android users can take some simple precautions. Staying vigilant with app updates is critical, as developers are likely to release fixes quickly.
Furthermore, it is advisable to always download applications from the official Google Play Store and be very careful when downloading from unofficial sources as they have a higher chance of containing malicious apps.