Several popular Android applications available in Google Play Store are susceptible to a path traversal-affiliated vulnerability codenamed the Dirty Stream attack that could be exploited by a malicious app to overwrite arbitrary files in the vulnerable app's home directory.
"The implications of this vulnerability pattern include arbitrary code execution and token theft, depending on an application's implementation," Dimitrios Valsamaras of the Microsoft Threat Intelligence team said in a report published Wednesday.
Successful exploitation could allow an attacker to take full control of the application's behavior and leverage the stolen tokens to gain unauthorized access to the victim's online accounts and other data.
Two of the apps that were found vulnerable to the problem are as follows -
- Xiaomi File Manager (com.mi. Android.globalFileexplorer) - Over 1 billion installs
- WPS Office (cn.wps.moffice_eng) - Over 500 million installs
While Android implements isolation by assigning each application its own dedicated data and memory space, it offers what's called a content provider to facilitate data and file sharing between apps in a secure manner. But implementation oversights could enable bypassing of read/write restrictions within an application's home directory.
"This content provider-based model provides a well-defined file-sharing mechanism, enabling a serving application to share its files with other applications in a secure manner with fine-grained control," Valsamaras said.
"However, we have frequently encountered cases where the consuming application doesn't validate the content of the file that it receives and, most concerning, it uses the filename provided by the serving application to cache the received file within the consuming application's internal data directory."
This pitfall can have serious consequences when a serving app declares a malicious version of the FileProvider class in order to enable file sharing between apps, and ultimately cause the consuming application to overwrite critical files in its private data space.
Put differently, the mechanism takes advantage of the fact that the consuming app blindly trusts the input to send arbitrary payloads with a specific filename by means of a custom, explicit intent and without the user's knowledge or consent, leading to code execution.
As a result, this could permit an attacker to overwrite the target app's shared preferences file and make it communicate with a server under their control to exfiltrate sensitive information.
Another scenario involves apps that load native libraries from its own data directory (instead of "/data/app-lib"), in which case a rogue app could exploit the aforementioned weakness to overwrite a native library with malicious code that gets executed when the library is loaded.
Following responsible disclosure, both Xiaomi and WPS Office have rectified the issue as of February 2024. Microsoft, however, said the issue could be more prevalent, requiring that developers take steps to check their apps for similar issues.
Google has also published its own guidance on the matter, urging developers to properly handle the filename provided by the server application.
"When the client application writes the received file to storage, it should ignore the filename provided by the server application and instead use its own internally generated unique identifier as the filename," Google said. "If generating a unique filename is not practical, the client application should sanitize the provided filename."