Microsoft has highlighted a novel attack dubbed "Dirty Stream," which could allow malicious Android apps to overwrite files in another application's home directory, potentially leading to arbitrary code execution and secrets theft.
The flaw arises from the improper use of Android's content provider system, which manages access to structured data sets meant to be shared between different applications.
This system incorporates data isolation, URI permissions, and path validation security measures to prevent unauthorized access, data leaks, and path traversal attacks.
When implemented incorrectly, custom intents, which are messaging objects that facilitate communication between components across Android apps, could bypass these security measures.
Examples of incorrect implementations include trusting unvalidated filenames and paths in intents, misuse of the 'FileProvider' component, and inadequate path validation.
Dirty Stream allows malicious apps to send a file with a manipulated filename or path to another app using a custom intent. The target app is misled into trusting the filename or path and executes or stores the file in a critical directory.
This manipulation of the data stream between two Android apps turns a common OS-level function into a weaponized tool and can lead to unauthorized code execution, data theft, or other malicious outcomes.
Microsoft researcher Dimitrios Valsamaras noted that these incorrect implementations are unfortunately abundant, impacting apps installed over four billion times and offering a massive attack surface.
"We identified several vulnerable applications in the Google Play Store that represented over four billion installations," reads the report.
"We anticipate that the vulnerability pattern could be found in other applications. We're sharing this research so developers and publishers can check their apps for similar issues, fix as appropriate, and prevent introducing such vulnerabilities into new apps or releases."
Two apps highlighted as vulnerable to Dirty Stream attacks in Microsoft's report are Xiaomi's File Manager application, which has over a billion installations, and WPS Office, which counts around 500 million installs.
Both companies were responsive to the findings and collaborated with Microsoft to deploy fixes to mitigate the risks posed by the vulnerability.
Microsoft's findings were shared with the Android developer community through an article on the Android Developers website to prevent similar vulnerabilities in future builds.
Google also updated its app security guidance to highlight common implementation errors in the content provider system that allow security bypasses.
As for end users, there's not much they can do besides keeping the apps they use up to date and avoiding downloading APKs from unofficial third-party app stores and other poorly vetted sources.