A vulnerability pattern in popular Android applications [1] [3], discovered by Microsoft [3] [4], allows malicious apps to manipulate files in the app’s home directory through path traversal [1], potentially leading to arbitrary code execution and token theft [3] [4].
Description
This vulnerability, affecting apps on the Google Play Store with over four billion installations collectively [1], has been addressed by Microsoft in collaboration with developers like Xiaomi and WPS Office by implementing fixes by February 2024. Microsoft also partnered with Google to provide guidance on preventing similar vulnerabilities in Android apps [1], emphasizing careful handling of filenames and regular app updates [2]. The vulnerability pattern is prevalent in Android share targets [1], as demonstrated in a case study involving Xiaomi’s File Manager [1], where attackers could execute arbitrary code and access sensitive credentials [1]. To mitigate these risks [1] [3], developers are advised to ignore the name returned by remote file providers when caching content and use randomly generated names for incoming streams [1]. Share targets in Android apps can be exploited by malicious apps to overwrite critical files [2], highlighting the importance of secure file sharing practices [2]. Microsoft Defender for Endpoint on Android helps detect malicious apps [2], while Defender Vulnerability Management identifies apps with known vulnerabilities [2]. Users are advised to keep their devices and applications updated to ensure security patches are applied and reset credentials if they accessed SMB or FTP shares through vulnerable apps like Xiaomi before receiving updates.
Conclusion
The vulnerability pattern discovered by Microsoft in popular Android applications has significant implications for security and privacy. Developers and users must take proactive measures to mitigate risks, such as implementing fixes, following secure file sharing practices [2], and keeping devices and applications updated [3]. Collaboration between industry leaders like Microsoft, Google [1] [2] [3], and app developers is crucial in addressing and preventing similar vulnerabilities in the future.
References
[1] https://www.infosecurity-magazine.com/news/android-flaw-apps-4-billion/
[2] https://cybersecuritynews.com/path-traversal-android-apps-vulnerability/
[3] https://www.devdiscourse.com/article/technology/2924866-microsoft-discovers-common-vulnerability-pattern-in-multiple-popular-android-apps
[4] https://allinfosecnews.com/item/dirty-stream-attack-discovering-and-mitigating-a-common-vulnerability-pattern-in-android-apps-2024-05-02/
