TL;DR: Microsoft discovered a common Android app vulnerability affecting billions of installations, allowing attackers to execute code and steal data.
Microsoft has found a common problem in many apps that lets bad code run on your phone. At least four of the apps have more than 500 million installations each. One app, Xiaomi’s File Manager, has at least 1 billion installations.
This is a big problem.
Researchers from Microsoft recently discovered many Android apps are open to attacks. These attacks can steal your information and do other bad things. This is because of a common security weakness in the apps.
Microsoft told Google’s Android security team about the problem. Google has published new guidance for Android app developers. This guidance shows them how to find and fix the issue.
Billions of Installations at Risk
Microsoft has also shared what they found with the makers of affected Android apps on Google’s Play store. These include Xiaomi Inc.’s File Manager product, which has more than 1 billion installations. It also includes WPS Office with some 500 million downloads.
Microsoft said the makers of both products have already fixed the issue. But they believe there are more apps out there with the same security weakness. “We think the problem could be found in other apps,” Microsoft’s threat intelligence team said. “We’re sharing this research so developers and publishers can check their apps for similar issues and fix them.”
The issue that Microsoft discovered affects Android apps that share files with other apps. To do this safely, Android has a special feature called a “content provider”. This feature manages an app’s data and shares it with other apps on a device.
An app that needs to share its files tells the content provider which paths other apps can use to get to the data. It also includes a special address that other apps can use to find it on a system.
Trusting Too Much & Not Checking Content
“This content provider-based model provides a well-defined file-sharing system,” Microsoft said. “It lets a serving app share its files with other apps in a secure way with fine control.”
However, in many cases when an Android app receives a file from another app, it does not check the content. “Most concerning, it uses the filename provided by the serving app to store the received file within the receiving app’s internal data directory.”
This gives attackers a way in. They can create a rogue app that can send a file with a bad filename directly to a receiving app without the user’s knowledge or approval. Common targets include email clients, messaging apps, networking apps, browsers, and file editors.
When a target receives a bad filename, it uses the filename to start the file and trigger a process that could end with the app getting compromised.
The potential impact will vary depending on an app’s specifics. In some cases, an attacker could use a bad app to overwrite a receiving app’s settings. This could cause it to communicate with an attacker-controlled server or share the user’s authentication tokens and other data.
In other situations, a bad app could overwrite malicious code into a receiving app’s native library to enable arbitrary code execution. “Since the rogue app controls the name as well as the content of the file, by blindly trusting this input, a share target may overwrite critical files in its private data space, which may lead to serious consequences,” Microsoft said.
Both Microsoft and Google have provided tips to developers on how to avoid the issue. Users can protect themselves by keeping their Android apps up to date and only installing apps from trusted sources.
Add comment