Microsoft has brought to everyone’s notice that a new attack named “Dirty Stream” is enabling malicious Android apps to overwrite files in another app’s home directory. This could potentially lead to arbitrary code execution and theft of sensitive data secretly.
The flaw can be a result of the improper use of Android’s content provider system, which manages to gain access to structured data sets that are meant to be shared between different apps.
This system features data isolation, URI permissions, and path validation security measures that curb unauthorized access, data leaks, and path traversal attacks. When used in the wrong manner, custom intents, which are messaging objects providing communication between components in the Android apps, could bypass these measures.
Also Read: OpenAI Reportedly Working On Search Engine To Rival Google
How does Dirty Stream Attack Operate Within The Apps?
One may wonder what are these incorrect implications. Well, they include trusting unvalidated filenames and paths in intent, misuse of the 'FileProvider' component, and inadequate path validation.
Ditry Stream attack enables malicious apps to send a file with a changed filename or path to another app. The targeted app is misled into trusting the filename and stores the file in a critical directory.
As per Microsoft researcher Dimitrios Valsamaras, these incorrect implications are very abundant, impacting apps installed over four billion times and setting the field for massive attacks.
"We identified several vulnerable applications in the Google Play Store that represented over four billion installations," reads the report. "We anticipate that the vulnerability pattern could be found in other applications. We're sharing this research so developers and publishers can check their apps for similar issues, fix as appropriate, and prevent introducing such vulnerabilities into new apps or releases."
Also Read: Engineers Report Burnout As Tech Companies Chase AI Gold Rush
Microsoft Names Two Apps Vulnerable To Dirty Stream
Microsoft’s report highlighted two apps as vulnerable to the attacks. The company said that Xiaomi's File Manager application, with more than a billion installations, WPS Office, has over 500 million downloads.
Both companies have acknowledged the findings and collaborated with Microsoft to roll out fixes to bring down the risks posed by the attack. The findings of the report were shared with the Android-developed community via an article on the Android Developers website to curb resembling vulnerabilities in the upcoming builds.
Google has also updated its app security guidance to show the common implementation errors in the content provider system that fail to detect security bypasses. For end users, there’s not much they can do to avoid it apart from keeping these apps up to date and avoiding downloading APKs from third-party app stores.