Billions of Android devices may be vulnerable to ‘Dirty Stream’ attack.

Microsoft recently announced the discovery of a serious security vulnerability in popular Android applications. Called the “dirty stream” attack, it affects at least four apps with more than 500 million users. The vulnerability could result in attacks such as remote code execution and token theft, depending on the application implementation. Here’s what you need to know.

What is a dirty stream attack?

The dirty stream attack exploits content providers in Android apps to enable them to share files. Each application using the Android operating system has a dedicated space for data and memory. Android provides a “content provider” that facilitates the secure transfer of data between applications.

Content providers can use intents – operational triggers – to query data during this process. They provide an interface for managing application data and sharing it with other applications installed on the device.

The application that needs to share its files – or the file provider – specifies the paths through which other applications can access the data. File providers contain an “address” (identifying features) that other applications can use to find them on the system.

When a client application does not properly handle the filename of a server application, hackers can implement a malicious application into another application on the device. The application creates an intent carrying a manipulated filename or path, tricking the client application into finding, using, or replacing other data on the device. They may expose the application user to serious consequences, such as theft of tokens enabling access to user accounts or sensitive data.

Validation is key

Microsoft believes four billion app installs from the Google Play Store are vulnerable to the attack. He shared his findings with developers and publishers to warn them about threats and help prevent them in new releases.

File Manager product from Xiaomi Inc. and WPS Office are among the affected vendors that have already fixed the issue. There is no information about any security vulnerabilities in the Amazon Prime Video app, which has over 500 million downloads on the Google Play Store. However, this may not apply to all applications with the same vulnerabilities.

The content provider-based model enables secure and well-defined file sharing with other applications. However, the problem is that many Android apps do not check the content when receiving a file from another app. It is simply assumed in good faith that the filename provided by the hosting application is constantly updated.

This allows hackers to introduce a fake application that sends files with malicious names directly to the target file share without the user’s knowledge. Typical targets are browsers, messaging applications, email clients, web applications, and file editors. When the target file share receives a malicious file name, it uses it to initialize the file. This triggers a process that can compromise the security of the application.

The potential impact will vary depending on application implementation. Sometimes an attacker can use a malicious application to communicate with their server or trick it into sharing user credentials. They can also overwrite code in the app’s native library to execute arbitrary code. Since the rogue application controls the file name and content, failure to validate input can lead to critical files being overwritten.

Microsoft’s report comes shortly after Google reported blocking more than two million apps from the Play Store in 2023. That’s almost a 60 percent increase from 2022. The threat landscape is escalating, highlighting why users need to install security updates, as soon as they are available. Microsoft worked with Google to create guidelines to strengthen the security of Dirty Stream developers and reduce the vulnerabilities of their applications.

What can end users do?

Users cannot do anything other than update the apps as soon as updates become available. They should also be careful when downloading and installing new applications. End users should only download from reliable sources. Suppose they need to install an application from an unknown developer. In this case, they should use tools such as Microsoft Defender to check whether the application they want to use does not contain malicious code.