A new attack called "Dirty Stream" uses malicious mobile apps to overwrite files on Android devices. Microsoft warns that four billion recent app installations from the Google Play Store could be vulnerable to the attack. These installations are thought to have inadvertently allowed the apps' hidden "intents" to find, exploit, or replace other data on the device.
Every application on the Android operating system has its own dedicated data and memory space. However, for apps to communicate with one another, Android provides a "content provider," which facilitates the secure transfer of data between apps. Content providers can use intents, or operational triggers, to initiate data queries throughout this process.
According to Microsoft, the Dirty Stream attack uses custom intents to manipulate the content provider, forcing it to perform an action it otherwise wouldn't do. After a user unwittingly installs a malicious app, the app creates an intent aimed at the file-sharing component of its target—AKA another app on the device. The intent carries a manipulated filename or path, which the target app is "tricked" into executing or storing. Microsoft says the consequences of this pattern can be dire, ranging from overwritten critical files to arbitrary code execution and token theft, which enables threat actors to access a victim's accounts or sensitive data.
With this particular attack, a target app's vulnerability lies in how it reads its server settings. Among the vulnerable apps available on the Google Play Store are Xiaomi’s File Manager app (with over a billion installs) and WPS Office (with over 500 million installs). Microsoft has reportedly worked to disclose the vulnerability to the developers of each affected app, with Xiaomi and WPS addressing the vulnerability in new software updates.
The company also says it's working with Google to bolster developers' Dirty Stream defenses. After sharing its findings with Google’s Android application security research team, Microsoft helped create guidance for developers hoping to mitigate their apps' susceptibility to the attack. End users are encouraged to only download mobile apps from sources they trust; if they must download an app from an uncommon source, they should use apps like Microsoft Defender to double-check that the app doesn't contain malicious code.
