Microsoft recently reported the discovery of a serious security vulnerability in popular Android applications. Dubbed the “dirty stream” attack, it involves at least four apps with more than 500 million users. The vulnerability can result in attacks such as remote code execution and token theft, depending on the app’s implementation. Here’s what you need to know.
What is a “dirty stream” attack?
A “dirty stream” attack exploits the content providers in Android apps to enable them to share files. Each app using the Android operating system has dedicated data and memory space. Android provides a “content provider” to facilitate the secure data transfer between apps.
Content providers can use intents—operational triggers—to start data queries throughout this process. They are the interface for managing an app’s data and exposing it to other installed applications on a device.
An app that needs to share its files—or a file provider—specifies the paths other apps can use to get to the data. File providers include an “address” (identifying features) that other apps can use to find them on a system.
When the client application does not correctly handle the filename of the server application, hackers can implement a malicious app on another app on the device. The app creates an intent carrying a manipulated filename or path, tricking the client app into finding, exploiting, or replacing other data on the device. These may expose the app user to severe consequences, such as stealing tokens that enable access to the user’s accounts or sensitive data.
Validation Is Key
Microsoft believes that four billion app installations from the Google Play Store are vulnerable to the attack. It shared its findings with developers and publishers to alert them to the dangers and help them prevent it in new releases.
Xiaomi Inc.’s File Manager product and WPS Office are among the affected vendors who have already fixed the issue. There is no advice about any vulnerability with the Amazon Prime Video app, which has over 500 million downloads on Google Play Store. However, that might not be true for all apps with the same vulnerabilities.
The content provider-based model enables secure and well-defined file sharing with other applications. However, the problem is that many Android apps do not validate the content when it receives a file from another app. It simply takes it in good faith that the filename provided by the serving application is on the up and up.
That allows hackers to introduce a rogue app that sends files with malicious filenames directly to the file share target without the user’s knowledge. Typical targets include browsers, messaging apps, email clients, networking apps, and file editors. When a file share target receives a malicious filename, it uses it to initialize the file. That triggers a process that could compromise the app’s security.
The potential impact will vary depending on an app’s implementation. Sometimes, an attacker could use a malicious app to communicate with their server or get it to share the user’s authentication data. They could also overwrite code in an app’s native library to execute arbitrary code. Since the rogue app controls the name and content of a file, failing to validate the input can lead to the overwriting of critical files.
The Microsoft report came shortly after Google reported barring over two million apps from the Play Store in 2023. That is almost 60 percent more than in 2022. The threat landscape is intensifying, emphasizing why users must install security updates as soon as they are available. Microsoft worked with Google to create guidelines to bolster developers’ Dirty Stream defenses and mitigate their apps’ susceptibility.
What can end users do?
There’s nothing that users can do other than ensure they update apps as soon as those updates become available. They should also be cautious when downloading and installing new apps. End users should only download from trustworthy sources. Suppose they must install an app from an unfamiliar developer. In that case, they should use tools like Microsoft Defender to verify that the app they want to use doesn’t contain malicious code.
