Security researchers at Microsoft Threat Intelligence team have revealed a path traversal-affiliated vulnerability dubbed the “Dirty Stream” attack in several popular Android applications.
This vulnerability could enable a malicious app to overwrite arbitrary files in the vulnerable app’s home directory.
In a report published on Wednesday, Dimitrios Valsamaras of the Microsoft Threat Intelligence team said, “The implications of this vulnerability pattern include arbitrary code execution and token theft, depending on an application’s implementation.”
He added, โArbitrary code execution can provide a threat actor with full control over an applicationโs behavior. Meanwhile, token theft can provide a threat actor with access to the userโs accounts and sensitive data.โ
The discovery affected multiple vulnerable apps in the Google Play Store, representing over four billion installations.
Two of the apps found vulnerable to the problem included Xiaomi Inc. File Manager (com.mi. Android.globalFileexplorer), which has over 1 billion installations, and WPS Office (cn.wps.moffice_eng), which has more than 500 million downloads.
The Android operating system enforces isolation by assigning each application its own dedicated data and memory space, particularly the content provider component and its โFileProviderโ class, which facilitates secure data and file sharing with other installed applications.
When implemented incorrectly, it could introduce vulnerabilities that could enable bypassing of read/write restrictions within an applicationโs home directory.
“This content provider-based model provides a well-defined file-sharing mechanism, enabling a serving application to share its files with other applications in a secure manner with fine-grained control,” Valsamaras noted.
“However, we have frequently encountered cases where the consuming application doesn’t validate the content of the file that it receives and, most concerning, it uses the filename provided by the serving application to cache the received file within the consuming application’s internal data directory.”
Malicious code execution can be achieved by allowing a threat actor to have full control over an applicationโs behavior and making it communicate with a server under their control to access sensitive data.
As part of Microsoftโs responsible disclosure policy, the company shared its findings with developers of Android apps who were affected by Dirty Stream. For instance, the Xiaomi, Inc. and WPS Office security teams have already investigated and fixed the issue.
However, the company believes that more applications could be impacted and likely compromised due to the same security weakness. Hence, it recommends that all developers analyse its research and ensure that their products are not affected.
“We anticipate that the vulnerability pattern could be found in other applications. We’re sharing this research so developers and publishers can check their apps for similar issues, fix as appropriate, and prevent introducingย such vulnerabilitiesย into new apps or releases,” Valsamaras added.
Recognizing that this vulnerability pattern may be widespread, Microsoft also shared its findings with Googleโs Android Application Security Research team.
The search giant has published an article on the Android Developers website to help developers avoid introducing this vulnerability pattern into their apps.
Meanwhile, users can mitigate the risk by keeping their Android devices and installed apps from trusted sources up to date.