Microsoft recently issued a warning about a new security threat called the “Dirty Stream” attack that targets Android apps. This vulnerability, revealed by Microsoft researcher Dimitrios Valsamaras, can allow malicious apps to manipulate other apps into overwriting their own files, which might lead to unauthorized code execution or data theft.
The core of the problem lies in the misuse of Android’s content provider system—a framework that manages shared data between apps. This system is designed to prevent unauthorized access and data leaks through security measures like data isolation, URI permissions, and path validation. However, if not correctly implemented, these protections can be bypassed.
In a “Dirty Stream” attack, a malicious app sends a file with a deceptive filename or path to another app through a custom intent. The receiving app, mistakenly trusting the manipulated filename or path, might execute or save the file in a sensitive directory, leading to potentially severe security breaches.
Microsoft’s investigation found that this vulnerability affects apps with over four billion installations, including widely-used applications like Xiaomi’s File Manager and WPS Office. Both Xiaomi and the developers of WPS Office have worked closely with Microsoft to address these vulnerabilities following the discovery.
The findings were shared with the Android developer community via an article on the Android Developers website, encouraging developers to check their apps for similar issues and to apply necessary fixes. Google also updated its app security guidelines to emphasize the importance of proper implementation in the content provider system.
End users are advised to keep their apps updated and to download applications only from reliable sources, like the official Google Play Store, to minimize the risk from such vulnerabilities.
