Android apps with 4B installs leave open doors to code execution attacks


If your Android device has Xiaomi’s File Manager or WPS Office, update them immediately. Several Android apps with more than four billion total installs have been found to be vulnerable, allowing attackers to run arbitrary code or steal credentials.

Microsoft has discovered multiple popular Android apps that are vulnerable to an attack, tricking the apps into overwriting their own critical files. Malware can exploit this vulnerability, called a “dirty stream attack,” by crafting filenames, which are then blindly accepted by the vulnerable apps without validation.

“The implications of this vulnerability pattern include arbitrary code execution and token theft, depending on an application’s implementation,” Microsoft said.

ADVERTISEMENT

“Arbitrary code execution can provide a threat actor with full control over an application’s behavior. Meanwhile, token theft can provide a threat actor with access to the user’s accounts and sensitive data.”

Xiaomi’s File Manager, with over a billion installs, and WPS Office, with more than 500 Million installs on Google Play Store, were both vulnerable to the attack. After the disclosure, as of February 2024, developers have released updates addressing the vulnerabilities.

However, Microsoft identified multiple other undisclosed apps vulnerable to “dirty stream” that were installed more than 2.5 billion times. At least two more apps had over 500 million installs. The company also anticipates “that the vulnerability pattern could be found in other applications.”

How would the attack work?

The Android operating system enforces app isolation by assigning each application its own dedicated data and memory space. For file sharing, Android provides a component acting as an interface for managing and exposing data to the rest of the apps on the device.

Microsoft researchers observed that multiple apps do not validate the provided file content and even use the provided filenames from other apps when caching the received file within its internal data directory.

“Improper implementation can introduce vulnerabilities that could enable bypassing of read/write restrictions within an application’s home directory,” Microsoft explains.

In the case of Xiaomi's File Manager, the implementation allowed attackers to execute arbitrary code by overwriting a native library with a malicious one. Moreover, attackers could then connect to remote FTP or SMB shares on the local network.

ADVERTISEMENT
attack

Google released guidelines for developers on how to sanitize their apps.

“If an attacker can overwrite an application's files, this can lead to malicious code execution (by overwriting the application's code), or allow otherwise modifying the application's behavior (for example, by overwriting the application's shared preferences or other configuration files),” Google warned.

Microsoft, by sharing the research on the vulnerability, hopes that other developers will check their apps for similar widespread issues and release fixes.