Dirty Stream Attack Impacts Android Applications Billions of Installations

Microsoft found a path traversal vulnerability in popular Android apps that could allow malicious apps to overwrite files in the vulnerable app’s directory, leading to arbitrary code execution and token theft.

Patches have been deployed for some apps (e.g., Xiaomi, WPS Office), and Google published an article to help developers avoid this vulnerability. 

Android’s file system isolates applications but allows controlled sharing through content providers. The FileProvider subclass enables an app to share specific directories with other apps, where each provider has a unique authority that acts like an address.

The URIs include the provider’s authority, a sub-path, and the filename, and the data owner grants temporary access using flags within an intent.

EHA

Upon receiving a request, the provider validates the URI and grants read/write access to the corresponding file. 

The Android share sheet dialog

When consuming applications blindly trust the filename that the serving application provides, a vulnerability in Android’s content provider-based file sharing results. A malicious app can exploit this by creating a custom intent with a content URI pointing to its own malicious FileProvider and a crafted filename. 

Dirty stream attack

Consuming applications trusting the filename would then overwrite critical files in their private data directory with malicious content, leading to serious consequences. 

Researchers at Microsoft discovered a vulnerability pattern in popular Android apps that allows malicious apps to overwrite files in the vulnerable app’s directory, which could lead to attackers stealing user credentials or even achieving arbitrary code execution on the device. 

By exploiting how some apps load libraries from their data directory, attackers could replace legitimate libraries with malicious code. 

 Connecting to remote shares using the file manager

A vulnerability in Xiaomi’s File Manager app allows other installed apps to gain unauthorized access to the File Manager’s internal storage because the app improperly validates incoming file copy requests. 

Validating an incoming copy file request

Specifically, the app fails to check the scheme of content URIs used to specify the destination directory, allowing malicious apps to craft requests that write data to the File Manager’s internal storage instead of the intended location, allowing attackers to steal sensitive data stored by the File Manager app.

A vulnerability in a file manager app allows attackers to achieve code execution with the file manager’s user ID. By exploiting a path traversal vulnerability, they can save a malicious library in the app’s home directory.  

The junk files cleaner plugin user interface

Then, they trick the app into using the malicious library by manipulating a hash value stored in a backup preferences file, where the app loads the attacker’s code instead of the legitimate library.  

FTP shared files, saved in the external storage

A vulnerability in a mobile file browser app allows attackers to steal login credentials for SMB and FTP remote shares stored in clear text on the device. By exploiting the app’s interaction with a junk cleaner app, attackers can gain code execution and steal these credentials. 

With stolen credentials, attackers can directly access SMB and FTP shares on the local network or access files downloaded from those shares stored on the device’s external storage. 

Stay updated on Cybersecurity news, whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

LEAVE A REPLY

Please enter your comment!
Please enter your name here