We’ve made updates to this article to clarify that the apps affected by the vulnerability have been patched by their developers. Additionally, we’ve adjusted the headline to reflect that the apps themselves are not malicious and do not require deletion. We’ll continue to monitor this story for any further developments.
Microsoft has issued a warning regarding a critical security vulnerability called “Dirty Stream” discovered on Android, which could potentially allow malicious apps to take control of legitimate ones. This flaw affects several apps with millions of installs, posing a threat to users’ data security. If you own one of the top Android phones, here’s what you need to know to safeguard your information.
The vulnerability concerns the ContentProvider system widely used in many popular Android apps. This system manages access to structured data sets intended for sharing between different applications, enabling communication and file sharing among Android apps. To prevent unauthorized access, the system incorporates security measures such as data isolation, unique permissions for specific URIs (Uniform Resource Identifiers), and path validation.
According to Microsoft’s alert, two vulnerable apps that have been patched include Xiaomi Inc.’s File Manager (with over 1 billion installs) and WPS Office (with over 500 million installs).
The Dirty Stream vulnerability is particularly concerning due to its exploitation of the ContentProvider system. Hackers can create “custom intents,” messaging objects facilitating communication between components across Android apps, to bypass security measures. By exploiting this vulnerability, malicious apps can send files with manipulated filenames or paths to other apps using custom intents, introducing harmful code disguised as legitimate files.
This manipulation allows hackers to trick vulnerable apps into overwriting critical files within their private storage, potentially leading to severe consequences. Essentially, Dirty Stream turns a common OS-level function into a tool for executing unauthorized code, data theft, and app hijacking without the user’s knowledge.
“Arbitrary code execution can provide a threat actor with full control over an application’s behavior,” Microsoft stated in a security bulletin. “Meanwhile, token theft can provide a threat actor with access to the user’s accounts and sensitive data.”
Microsoft’s investigation revealed that this vulnerability is not isolated, with multiple popular Android apps featuring incorrect implementations of the ContentProvider system.
“We identified several vulnerable applications in the Google Play Store that represented over four billion installations,” Microsoft noted. “We anticipate that the vulnerability pattern could be found in other applications.”
Given the widespread nature of this vulnerability, it’s difficult to estimate the full extent of its impact on legitimate apps. However, until all apps are patched, the potential risk remains significant.
To protect against Android malware, consider limiting the number of apps on your phone and installing only essential ones. Additionally, ensure prompt installation of security updates and patches, enable Google Play Protect, and consider using Android antivirus apps for extra protection.
As “Dirty Stream” poses a significant threat, it’s likely that Google is already working on a fix, as Microsoft would have shared its findings with the company before issuing the alert.