Tue. Aug 11th, 2020

Many Android apps are vulnerable to Man-in-the-Disk Attacks

2 min read

Since Android phones allow the use of external storage to store data or applications, there is a new type of attack for Android phones: intra-person attacks. This type of attack is usually an application installed on an external storage device that does not perform regular system verification at startup. In-disk attacks can be implemented by silently installing malware, executing DoS attacks through legitimate software, illegal code injection, and application crashes.

Slava Makkaveev, a researcher at Check Point Network Security, pointed out at the DefCon security conference on Sunday that a mobile app has been found to be downloaded and updated or to get data from the developer’s server. When the application is installed in the phone’s external storage, the data is already hacked by the hacker before being sent to the application.

In Android phones, there are two different storage methods: internal storage and external storage. The internal storage of the mobile telephone effectively divides the storage space used by each application and is isolated from each other. Once the application is deleted, this part of the storage space will be released. The external storage space is generally an SD card. It does not have the system sandbox protection technology built into Android, so the storage space used by the installed application is shared. Android’s developer guide has a clear description of the management mode of the external storage space of the Android system. If the developer does not follow the instructions in the documentation during the development of the software, it will quickly lead to an attack on the disk.

In-disk attack process: The hacker lures the user to install a seemingly legitimate application. During the installation process, the attack script is installed and the user is allowed to use the external storage space of the mobile phone. Once the user clicks the permission, the hacker can The data in the outer space is monitored. After that, the data can be rewritten to intercept the data transmission, causing the mobile application to crash. If another malicious code is injected during the installation process of the mobile phone application, the permissions of other devices of the mobile phone, such as a camera, a microphone, a contact list, an album, etc., can also be obtained.

Slava Makkaveev validated this attack by installing applications such as Google Translate, Yandex Translate, Google Voice Typing, Google Text-to-Speech, Xiaomi browser. For Google Translate, Yandex Translate and Google Voice Typing applications, the application crashed due to the inability to verify the integrity of the data.

The Xiaomi browser can bypass the system to verify the installation of the mobile app.

It can be seen that developers of Android phones need to carefully review the documentation in the Android development manual when developing mobile applications, and pay attention to the security of application development.