Several widely-used Android applications on the Google Play Store have been identified as vulnerable due to a path traversal vulnerability known as the “Dirty Stream” attack. This flaw could enable malicious applications to overwrite files within the affected apps’ home directories. According to Dimitrios Valsamaras from the Microsoft Threat Intelligence team, the consequences of such a vulnerability may involve arbitrary code execution and token theft, depending on how the targeted application is implemented.
Exploiting this vulnerability could grant an attacker full control over the application’s operations. Moreover, the compromised tokens could be exploited to gain unauthorized access to the victim’s online accounts and sensitive information. Notable applications affected by this vulnerability include Xiaomi File Manager, which boasts over 1 billion installations, and the WPS Office app, which has amassed over 500 million installations.
While the Android operating system employs a method of isolating applications by providing each with dedicated data and memory spaces, it offers a content provider function to facilitate secure data sharing between applications. However, many implementations overlook critical validation checks. This lack of scrutiny often results in the receiving application blindly trusting file contents sent over, leading to potential malicious file overwrites in its private data directory.
Valsamaras further elaborated, explaining that while the content provider should enable secure file sharing, frequent oversights occur when the receiving application fails to validate the incoming files. Particularly concerning is the scenario where a malicious version of the FileProvider class is employed, allowing for the unintended overwriting of essential files within a consuming app’s internal data. This weakness could manipulate the consuming app into executing arbitrary payloads, potentially resulting in data exfiltration.
In another serious scenario, apps that load native libraries from their own data directories could be tricked into executing malicious replacements of these libraries. This exploitation could occur if a rogue application leverages the aforementioned vulnerability to inject harmful code that executes upon the library’s loading.
In response to this discovery, both Xiaomi and WPS Office have implemented fixes as of February 2024. Nonetheless, Microsoft’s analysis suggests that the vulnerability may be more widespread than initially observed, prompting a call for developers to audit their applications for similar risks. Google has also weighed in, advising developers to rigorously manage filenames provided by server applications, recommending the use of internally generated unique identifiers instead of blindly accepting provided filenames.
This incident highlights potential adversary tactics, aligning with the MITRE ATT&CK framework, particularly in areas such as initial access and code execution. As threats evolve, business owners must remain vigilant, prioritizing security protocols that protect against such vulnerabilities and ensuring that applications handle data sharing responsibly to mitigate risks associated with file overwrites and unauthorized access.
