Billions of Android Devices Open to Dirty Stream Attack

Microsoft has uncovered a common vulnerability pattern in several apps allowing code execution; at least four of the apps have more than 500 million installations each; and one, Xiaomis File Manager, has at least 1 billion installations.

Researchers from Microsoft recently discovered many Android applications — including at least four with more than 500 million installations each — to be vulnerable to remote-code execution attacks, token theft, and other issues because of a common security weakness.
Microsoft informed Googles Android security research team of the problem and Google has published
new guidance for Android app developers
on how to recognize and remediate the issue.
Microsoft has also shared its findings with vendors of affected Android apps on Googles Play store. Among them were Xiaomi Inc.s File Manager product, which has more than 1 billion installations, and WPS Office with some 500 million downloads.
Microsoft said vendors of both products have already fixed the issue. But it believes there are more apps out there that are fallible to exploit and compromise because of the same security weakness. We anticipate that the vulnerability pattern could be found in other applications, Microsofts threat intelligence team said,
in a blog post
this week. Were sharing this research so developers and publishers can check their apps for similar issues, fix as appropriate, and prevent introducing
such vulnerabilities
into new apps or releases.
The issue that Microsoft discovered affects
Android applications
that share files with other applications. To facilitate the sharing in a secure manner, Android implements a so-called content provider feature that basically acts as an interface for managing and exposing an apps data to other installed applications on a device, Microsoft said. An app that needs to share its files — or a file provider in Android speak — declares the specific paths that other apps can use to get to the data. File providers also include an identifying feature that other apps can use as an address to find them on a system.
This content provider-based model provides a well-defined file-sharing mechanism, enabling a serving application to share its files with other applications in a secure manner with fine-grained control, Microsoft said. However, in many cases when an Android app receives a file from another app, it does not validate the content. Most concerning, it uses the filename provided by the serving application to cache the received file within the consuming applications internal data directory.
This gives attackers an opening to create a rogue app that can send a file with a malicious filename directly to a receiving app — or file share target — without the users knowledge or approval, Microsoft said. Typical file share targets include email clients, messaging apps, networking apps, browsers, and file editors. When a share target receives a malicious filename, it uses the filename to initialize the file and trigger a process that could end with the app getting compromised, Microsoft said.
The potential impact will vary depending on an Android applications implementation specifics. In some cases, an attacker could use a malicious app to overwrite a receiving apps settings and cause it to communicate with an attacker-controlled server, or get it to share the
users authentication tokens
and other data. In other situations, a malicious application could overwrite malicious code into a receiving apps native library to enable arbitrary code execution. Since the rogue app controls the name as well as the content of the file, by blindly trusting this input, a share target may overwrite critical files in its private data space, which may lead to serious consequences, Microsoft said.
Both Microsoft and Google have provided tips to developers on how to avoid the issue. End users, meanwhile, can mitigate the risk by ensuring their Android apps are up to date and by only installing apps from trusted sources.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Billions of Android Devices Open to Dirty Stream Attack