Security researchers over at Microsoft have detected a new emerging threat targeting Android applications that have millions of installs, with known names such as Xiaomi’s File Manager. Dubbed the “Dirty Stream” attack, this vulnerability pattern poses a significant threat to Android users worldwide.
What Is The Dirty Stream Attack?
Explained in a blog post by Microsoft Threat Intelligence team, the Dirty Stream attack exploits a vulnerability arising from the improper use of Android’s content provider system. This system is designed to manage access to structured data sets that are meant to be shared between different applications, incorporating security measures like data isolation, URI permissions, and path validation to prevent unauthorised access and data leaks.
However, when these security measures are incorrectly implemented, they can be bypassed. The attack involves malicious apps sending files with manipulated filenames or paths to another app using custom intents. The receiving app, misled into trusting the filename or path, may execute or store the file in a critical directory, leading to potential arbitrary code execution and secrets theft.
It can be executed via the Android’s share-sheet dialog box that pops up whenever you try to share a file to third-party apps. “This type of guided file-sharing interaction itself may not trigger a successful attack against a share target, a malicious Android application can create a custom, explicit intent and send a file directly to a share target with a malicious filename and without the user’s knowledge or approval”, read the blog post.
Read More: Apple iMessage, Microsoft Bing Escape Gatekeeper Status For Some Services Under EU’s DMA
The Dirty Stream attack presents a massive attack surface, affecting apps installed over four billion times. Two notable apps that were affected by the issue included Xiaomi’s File Manager application, with over a billion installations, and WPS Office, with around 500 million installs. Both companies have since collaborated with Microsoft to deploy fixes to mitigate the risks posed by the vulnerability.
Upon discovering the vulnerability, Microsoft engaged in responsible disclosure, notifying application developers and working with them to address the issue. This collaborative effort extends to Google, who has also updated its app security guidance to highlight common implementation errors that allow security bypasses.
What to do if you are affected?
For end users, the best defence is to keep their apps up to date and avoid downloading APKs from unofficial third-party app stores. Microsoft urged the developers to check their apps for similar issues and ensure that such vulnerabilities are not introduced into new apps or releases. It also outlined some ways developers can adopt to bypass the vulnerability.