Microsoft Finds Major Security Flaw ‘Dirty Stream’ in Android Apps Totalling Billions of Downloads
As per Microsoft, the vulnerability emerges from improper implementation of Android's content provider system.
Advertisement
Highlights
- Microsoft says vulnerable apps have over four billion installations
- The Dirty Stream flaw can allow hackers to take control of the app
- Google has updated its app security guidance to highlight the issue
Users are recommended to keep their apps updated and avoid installing apps from third-party sources
Photo Credit: Pexels/Lisa Fotios
Microsoft discovered a major security vulnerability in multiple Android apps last week that could be exploited to gain unauthorised access to apps and sensitive data on the device. Interestingly, this security flaw does not come from the system codes, but an improper usage of a particular system by developers that can lead to loopholes prone to exploitation. Notably, the flaw has been highlighted to Google, and the tech giant has taken steps to make the Android app developer community aware of the issue.
In a post on its Security Blog, the Microsoft Threat Intelligence team stated, “Microsoft discovered a path traversal-affiliated vulnerability pattern in multiple popular Android applications that could enable a malicious application to overwrite files in the vulnerable application's home directory.” The researchers also highlighted that the vulnerability was spotted in several apps in the Google Play Store that had a combined total of more than four billion installations.
This vulnerability emerges when a developer incorrectly uses Android's content provider system, which is designed to secure data exchange between different apps on a device. This includes data isolation, URI permissions, path validation and other security measures to stop unauthorised access by the apps or anyone else breaking into the app. However, improper implementation of the system affects a component called custom intents. These are the messaging objects that conduct two-way communication between different apps. When this vulnerability exists the apps can ignore the security measures and let other apps (or hackers controlling them) access sensitive data stored in them.
In case of an attack on the device, hackers can manipulate this vulnerability by accessing just one app, they can enter all such apps that contain this loophole. This enables the bad actors to gain complete control over the device or steal sensitive data including financial information. Notably, the vulnerability was found in the Xiaomi File Manager and WPS Office apps. Microsoft stated in its report that developers behind both the apps have investigated and fixed the issue.
Advertisement
Google has also taken cognisance of the issue and published a post on its Android Developers blog. The company has highlighted the common errors and ways to fix them. It is expected that developers of affected apps will be fixing the issues in the coming days and release a fix. While end users cannot do much to avoid this vulnerability, it is recommended that they remain proactive in updating the apps on their devices and avoid downloading apps from third-party sources for a while.
Is the Samsung Galaxy Z Flip 5 the best foldable phone you can buy in India right now? We discuss the company's new clamshell-style foldable handset on the latest episode of Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.
Affiliate links may be automatically generated - see our ethics statement for details.
For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.
Advertisement