A new threat at a vast scale has just been revealed, and it impacts multiple Android apps with hundreds of millions of installs—here’s what you need to know…
Microsoft has discovered a serious new security vulnerability that impacts popular Android apps and puts billions of devices at risk. “The implications of this vulnerability pattern” its report warns, “include arbitrary code execution and token theft, depending on an application’s implementation.”
The vulnerability relates to ContentProvider in Android enabling one app to securely share files with another. “If the client application does not properly handle the filename provided by the server application,” Google’s own advisory confirms, “an attacker-controlled server application may be able to implement its own malicious FileProvider to overwrite files in the client application’s app-specific storage.”
Exploiting the flaw, Microsoft says, could “provide a threat actor with full control over an application’s behavior,” and “access to a user’s accounts and sensitive data.”
Now the vulnerability has been exposed and reported through a co-ordinated Microsoft/Google release, developers have been provided with mitigation advice.
Microsoft gives two examples of popular apps that were susceptible to this risk, but which have both now been patched: “Xiaomi Inc.’s File Manager (1B+ installs) and WPS Office (500M+ installs).”
Because Android assigns separate memory space to apps to enforce device security, a common space is required to share files. But if both sides of the exchange don’t follow the rules, it’s possible for a sending app to use a crafted filename to trick the receiving app into overwriting legitimate files with malicious alternatives and content. Those malicious files can then be inadvertently executed on the device.
There’s nothing that users can do other than ensure they update apps as soon as those updates come available, and take especial care where they’re sourcing new apps for download and install. Given that Microsoft “identified several vulnerable applications in the Google Play Store that represented over four billion installations,” the attack surface of this potential risk is on an industrial scale. And, as ever, with the risk now in the public domain, the danger increases until apps are all patched.
This warning comes just days after Google reported that it had barred 2.28 million apps from Play Store last year, an increase of nearly 60% on the year before. The threat landscape is intensifying, and more than ever it’s important to install security updates as they come available and keep apps themselves current.