Microsoft warns many big Android apps carry major flaws

Android Logo
(Image credit: Google)

Cybersecurity researchers from Microsoft found a way for Android malware to overwrite files in another, legitimate application’s home directory. In theory, threat actors could use this vulnerability to mount arbitrary code execution attacks, or steal sensitive files from apps.

In a blog post published earlier this week, Microsoft broke down how the vulnerability works, which apps were vulnerable, which already plugged the holes, and what can be expected in the weeks and months to come.

The vulnerability stems from the way Android tries to keep sensitive information, generated by different apps, secure.

Dirty Stream

As Microsoft explains, every app on the Android device is isolated from others by getting its own dedicated data and memory space. That prevents the apps from reading each other’s data which could, in some scenarios, lead to data leakage. 

But sometimes apps need to share data among themselves, which is why Android introduced a component called content provider, which works as an interface for securely managing and exposing data to other apps. 

“When used correctly, a content provider provides a reliable solution. However, improper implementation can introduce vulnerabilities that could enable bypassing of read/write restrictions within an application’s home directory,” the researchers explained. 

The worst part is that improper implementations are too many to count. Microsoft claims that it identified vulnerable applications in the Play Store “that represented over four billion installations.”

Among them are XIaomi’s File Manager (more than a billion installations), and WPS Office (roughly 500 million installs). Microsoft notified these two companies of its findings, and both have already deployed fixes and mitigated the risks. However, since there are too many vulnerable applications out there to notify everyone separately, Microsoft published an article on the Android Developers website, BleepingComputer found. Furthermore, Google updated its app security guidance to reflect the findings, as well.

The vulnerability was dubbed “Dirty Stream”.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

TOPICS