Dirty stream attack poses billions of Android installs at risk

Pierluigi Paganini May 03, 2024

Microsoft devised an attack technique, dubbed ‘Dirty Stream,’ impacting widely used Android applications, billions of installations are at risk.

Microsoft is warning Android users about a new attack technique, named Dirty Stream, that can allow threat actors to take control of apps and steal sensitive data.

The IT giant describes Dirty Stream as an attack pattern, linked to path traversal, that affects various popular Android apps. The technique allows a malicious app to overwrite files in the vulnerable app’s home directory, potentially leading to arbitrary code execution and the theft of tokens.

An attacker can trigger the flaw to grant full control over the app and access to user accounts and sensitive data.

The researchers identified multiple vulnerable applications in the official Google Play Store that count over four billion devices. 

“We identified this vulnerability pattern in the then-current versions of several Android applications published on the Google Play Store, including at least four with more than 500 million installations each. In each case, we responsibly disclosed to the vendor. Two example vulnerable applications that we identified are Xiaomi Inc.’s File Manager (1B+ installs) and WPS Office (500M+ installs).” continues the advisory.

Microsoft notified developers of the affected apps through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR).

The company worked with Xiaomi, Inc. and WPS Office security teams to address the issue. Fixes have been deployed for the affected apps as of February 2024, and users are urged to update their devices and installed applications.

The problem resides in the content provider component, and its ‘FileProvider’ class, of the Android’s data and file sharing system.

FileProvider, a subclass of ContentProvider, is intended to provide a secure method for an application (“server application”) to share files with another application (“client application”).” reported Google. “However, if the client application does not properly handle the filename provided by the server application, an attacker-controlled server application may be able to implement its own malicious FileProvider to overwrite files in the client application’s app-specific storage.”

The component facilitates file sharing among installed apps, however incorrect implementation of this mechanism can pose significant vulnerabilities.

“The implications of this vulnerability pattern include arbitrary code execution and token theft, depending on an application’s implementation. Arbitrary code execution can provide a threat actor with full control over an application’s behavior. Meanwhile, token theft can provide a threat actor with access to the user’s accounts and sensitive data.” reads the advisory published by Microsoft.

The issue arises when the receiving application fails to verify the content of the file it receives and relies on the filename provided by the sending application. The receiving application caches the file within its internal data directory opening the door to potential exploitation if the sending application uses a malicious version of FileProvider. In this scenario a malicious app can exploit Dirty Stream to overwrite important files within the receiving application.

“To prevent these issues, when handling file streams sent by other applications, the safest solution is to completely ignore the name returned by the remote file provider when caching the received content. Some of the most robust approaches we encountered use randomly generated names, so even in the case that the content of an incoming stream is malformed, it won’t tamper with the application.” concludes Microsoft.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Android)

you might also like

leave a comment