Android Apps Vulnerable to “Dirty Stream” Attacks

Microsoft has issued a warning to Android users about a new exploit dubbed “Dirty Stream,” which allows malicious applications to overwrite files in another application’s home directory, potentially leading to arbitrary code execution and the theft of secrets.

The flaw arises from improper use of the Android Content Provider system, which manages access to structured sets of data intended for sharing across different applications. This system includes data isolation, URI permissions, and path verification measures to prevent unauthorized access, data leaks, and path traversal attacks.

If implemented incorrectly, user intents, which are message exchange objects facilitating data sharing between components in Android apps, can circumvent these security measures.

The “Dirty Stream” attack enables malicious apps to send a file with a modified filename or path to another application using a user intent. The target application is deceived into trusting the filename or path, and executes or saves the file in a critical directory.

Such manipulation of data streams between two Android applications transforms a standard operating system function into a perilous tool that could lead to unauthorized code execution, data theft, or other malicious outcomes.

Dirty Stream

Microsoft researcher Dimitrios Valsamis noted that unfortunately, there are numerous such flawed implementations, affecting even those applications that have been downloaded from Google Play over four billion times.

Vulnerable programs include, in particular, Xiaomi’s File Manager with over a billion installs and the WPS Office suite with approximately 500 million users. Both companies have already addressed the issues found in their software.

To prevent similar vulnerabilities in the future, Microsoft has shared its findings with the Android developer community, and Google has updated its application security guide to reflect these mistakes. As for end-users, they can protect themselves by regularly updating installed applications and avoiding the download of APK files from unreliable sources.