Hackers are playing dirty, so take action to protect yourself right now.
Microsoft warned Android users about a new attack, dubbed "Dirty Stream". It allows malicious applications to overwrite files in the home directory of another application, which can lead to arbitrary code execution and theft of secrets.
The error occurs due to improper use of the Android content provider system, which manages access to structured data sets intended for sharing by various applications.
This system includes data isolation, URI permissions, and path validation security measures to prevent unauthorized access, data leaks, and path traversal attacks.
If implemented incorrectly, user-defined Intents, which are messaging objects that facilitate communication between components in Android apps, can bypass these security measures.
The Dirty Stream attack allows malicious applications to send a file with a modified file name or path to another application using a custom intent. The target application is deceived into trusting the file name or path, and executes or saves the file in a critical directory.
General principle of operation of "Dirty Stream"
This manipulation of the data flow between two Android apps turns a common operating system-level function into a dangerous tool and can lead to unauthorized code execution, data theft, or other malicious results.
Various attack scenarios using "Dirty Stream"
Microsoft researcher Dimitrios Valsamaras noted that such incorrect implementations, unfortunately, are plentiful. They even affect apps that have already been installed from Google Play more than four billion times.
Vulnerable programs include, in particular, File Manager from Xiaomi with more than a billion installations and the WPS office suite with about 500 million users. Both companies have already fixed the problems found in their software.
To prevent similar vulnerabilities in the future, Microsoft shared its research with the Android developer community, and Google updated its app security guide to reflect the mistakes made. As for end users, they can protect themselves by updating installed programs in a timely manner and avoiding downloading APKs from untrusted sources.
Microsoft warned Android users about a new attack, dubbed "Dirty Stream". It allows malicious applications to overwrite files in the home directory of another application, which can lead to arbitrary code execution and theft of secrets.
The error occurs due to improper use of the Android content provider system, which manages access to structured data sets intended for sharing by various applications.
This system includes data isolation, URI permissions, and path validation security measures to prevent unauthorized access, data leaks, and path traversal attacks.
If implemented incorrectly, user-defined Intents, which are messaging objects that facilitate communication between components in Android apps, can bypass these security measures.
The Dirty Stream attack allows malicious applications to send a file with a modified file name or path to another application using a custom intent. The target application is deceived into trusting the file name or path, and executes or saves the file in a critical directory.
General principle of operation of "Dirty Stream"
This manipulation of the data flow between two Android apps turns a common operating system-level function into a dangerous tool and can lead to unauthorized code execution, data theft, or other malicious results.
Various attack scenarios using "Dirty Stream"
Microsoft researcher Dimitrios Valsamaras noted that such incorrect implementations, unfortunately, are plentiful. They even affect apps that have already been installed from Google Play more than four billion times.
Vulnerable programs include, in particular, File Manager from Xiaomi with more than a billion installations and the WPS office suite with about 500 million users. Both companies have already fixed the problems found in their software.
To prevent similar vulnerabilities in the future, Microsoft shared its research with the Android developer community, and Google updated its app security guide to reflect the mistakes made. As for end users, they can protect themselves by updating installed programs in a timely manner and avoiding downloading APKs from untrusted sources.
