HomesecurityAndroid apps are vulnerable to the Dirty Stream vulnerability

Android apps are vulnerable to the Dirty Stream vulnerability

Many popular apps Android located in the Google Play Store are prone to a particular vulnerability, known as the Dirty Stream attack.

android vulnerability

This vulnerability, which involves path traversal, can be exploited by a malicious application to overwrite arbitrary files in the affected application's home directory.

"The impact of this vulnerability includes arbitrary code execution and certificate theft, depending on how the application is used," according to Dimitrios Valsamaras of the Microsoft Threat Intelligence team, in a report published Wednesday.

Read also: Check out the new look of the Google Play Store!

Successful exploitation could enable a company with a hacker fully control the behaviour of the application, as well as use the stolen tokens to gain unauthorised access to the victim's online accounts and related data.

Two of the applications found vulnerable to the problem are -

Xiaomi File Manager (com.mi. Android.globalFileexplorer) - Over 1 billion installations

WPS Office (cn.wps.moffice_eng) - Over 500 million installations

Android uses the strategy of isolation, giving each application its own dedicated data and memory space. To facilitate secure data and file sharing between applications, it offers a solution called a content provider. However, weaknesses in the implementation of applications may allow bypassing access restrictions to an application's private data directory.

"This content delivery-focused model has a defined file sharing mechanism, allowing applications to share their own files with other applications securely and with granular control," said Dimitris Valsamaras.

However, we often face situations where the Application receiving data does not check the validity of the content of the file it receives. It is also critical to use the filename, as provided by the serving application, to cache the incoming file in the internal data directory of the consuming application.

This trap has the potential to cause serious consequences, particularly when an application intended to serve users announces a harmful version of the FileProvider class. The purpose of this action is to allow file sharing between different applications, resulting in the consumer application replacing critical files within the private dataspace of the served application.

In other words, the mechanism exploits the consumer application's uncritical reliance on input data by allowing arbitrary and potentially harmful loads to be sent via a specially crafted file, with a customized and specific intent, without the user's notification or consent, causing code execution.

As a result, this process could allow a hacker to copy the preferences file of the targeted application in order to connect it to a server under his control in order to extract sensitive data.

A different scenario concerns applications that load native libraries from their specific data folder (instead of "/data/app-lib"), allowing a malicious application to exploit this vulnerability. In this way, it can replace a native library with malicious code, which will be executed when the library is loaded.

After the scrupulous announcement of the problem, both the Xiaomi and the WPS Office made a correction from February 2024. However, Microsoft claimed that the issue could have more far-reaching implications, pointing to the need for developers to check their apps for potential similar issues.

Google also published its own guidance on the issue, urging developers to properly handle the filename provided by the server application.

android vulnerability

See more: Google passkeys have already been used more than 1 billion times

"When a client application saves the received file, it should disregard the file name given by the Application of the server. Instead, it should use a unique identifier generated internally for the file name," Google said. "In the event that the creation of a unique filename is not possible, the client application should implement sanitization procedures for the provided filename."

Source: thehackernews

In a world without fences and walls, who need Gates and Windows

Subscribe to the Newsletter

* indicates required