Researchers from Microsoft’s Threat Intelligence team recently disclosed a path traversal-related vulnerability known as the “Dirty Stream” attack. This vulnerability has been identified in numerous popular Android applications.
This vulnerability allows a malicious app to overwrite files in the vulnerable app’s home directory.
According to Dimitrios Valsamaras from the Microsoft Threat Intelligence team, “The consequences of this vulnerability pattern may include arbitrary code execution and token theft, contingent on how an application is implemented.“
He further explained, “Arbitrary code execution grants a threat actor complete control over an application’s functions. On the other hand, token theft can grant access to user accounts and sensitive data.”
Numerous vulnerable apps in the Google Play Store, totaling over four billion installations, were impacted by this discovery.
Two of the apps impacted by this issue were Xiaomi Inc.’s File Manager (com.mi. Android.globalFileexplorer) with a user base exceeding 1 billion installations and WPS Office (cn.wps.moffice_eng), which has been downloaded over 500 million times.
The Android OS maintains isolation by allocating each app its dedicated data and memory space. This includes the content provider component, specifically the ‘FileProvider’ class, which ensures secure data and file sharing among installed apps.
Incorrect implementation of this mechanism can create vulnerabilities that allow bypassing read/write restrictions within an app’s home directory.
“This content provider-based model offers a defined file-sharing mechanism, enabling an app to share files securely with others while maintaining precise control,” stated Valsamaras.
“However, we’ve observed cases where the recipient app doesn’t validate received file content and, more alarmingly, caches the file based on the filename provided by the sender app in its internal data directory.”
This security flaw can enable malicious actors to gain full control over an app’s behavior, communicating with a server they control to access sensitive data.
In accordance with Microsoft’s responsible disclosure policy, the company informed developers of Android apps affected by Dirty Stream about its findings. For example, Xiaomi, Inc. and WPS Office security teams have already investigated and resolved the issue.
However, Microsoft suspects that more apps could be affected and potentially compromised due to the same security flaw. Thus, it advises all developers to review its research and ensure their products are secure.
“We anticipate that this vulnerability pattern may exist in other apps. We’re sharing our research so developers and publishers can inspect their apps for similar issues, address them as necessary, and prevent these vulnerabilities from appearing in new releases,” Valsamaras stated.
Acknowledging the widespread potential impact of this vulnerability pattern, Microsoft also shared its findings with Google’s Android Application Security Research team.
Google has released an article on the Android Developers website aimed at aiding developers in avoiding the introduction of this vulnerability pattern into their apps.
In the meantime, users can reduce the risk by ensuring their Android devices and installed apps are regularly updated from reliable sources.
0 Comments