Microsoft is warning Android application users and developers about a recently uncovered attack method that can allow threat actors to take control of apps and obtain sensitive data.
The issue has been named Dirty Stream and described by the tech giant as a vulnerability pattern related to path traversal. The company disclosed the details of Dirty Stream this week, focusing on its impact on the Xiaomi File Manager and WPS Office applications, which collectively have more than 1.5 billion installs from Google Play.
Microsoft identified several impacted applications, which have a total of four billion installations, but the company believes the vulnerability pattern could be present in other Android apps as well.
The issue is related to a data and file sharing mechanism on Android, specifically the content provider component and its ‘FileProvider’ class, which enables file sharing between installed applications. Improperly implementing this mechanism can introduce potentially serious vulnerabilities.
Microsoft discovered that malicious applications could leverage the Dirty Stream technique to overwrite files in the targeted application’s home directory, which can lead to arbitrary code execution and token theft.
Being able to execute arbitrary code enables the attacker to gain full control of the targeted app’s behavior, while token theft can allow the hacker to access user accounts and sensitive data.
Malicious code execution can be achieved by overwriting the application’s code. In addition, the attacker can modify the app’s behavior by, for instance, overwriting preferences and other configuration files.
The developers of apps affected by Dirty Stream have been notified by Microsoft and they have released patches, but the company is urging all developers to analyze its research and ensure that their products are not impacted.
Google has also been notified and it has published an article on the Android Developers website to inform developers about risks associated with the content provider component.
Related: VPN Apps on Google Play Turn Android Devices Into Proxies
Related: Google Announces Enhanced Fraud Protection for Android
Related: Critical Remote Code Execution Vulnerability Patched in Android