Microsoft warns many big Android apps carry major flaws

Sead Fadilpašić

3 May 2024 at 7:30 am·2-min read

Android Logo.

Cybersecurity researchers from Microsoft found a way for Android malware to overwrite files in another, legitimate application’s home directory. In theory, threat actors could use this vulnerability to mount arbitrary code execution attacks, or steal sensitive files from apps.

In a blog post published earlier this week, Microsoft broke down how the vulnerability works, which apps were vulnerable, which already plugged the holes, and what can be expected in the weeks and months to come.

The vulnerability stems from the way Android tries to keep sensitive information, generated by different apps, secure.

Dirty Stream

As Microsoft explains, every app on the Android device is isolated from others by getting its own dedicated data and memory space. That prevents the apps from reading each other’s data which could, in some scenarios, lead to data leakage.

But sometimes apps need to share data among themselves, which is why Android introduced a component called content provider, which works as an interface for securely managing and exposing data to other apps.

“When used correctly, a content provider provides a reliable solution. However, improper implementation can introduce vulnerabilities that could enable bypassing of read/write restrictions within an application’s home directory,” the researchers explained.

The worst part is that improper implementations are too many to count. Microsoft claims that it identified vulnerable applications in the Play Store “that represented over four billion installations.”

Among them are XIaomi’s File Manager (more than a billion installations), and WPS Office (roughly 500 million installs). Microsoft notified these two companies of its findings, and both have already deployed fixes and mitigated the risks. However, since there are too many vulnerable applications out there to notify everyone separately, Microsoft published an article on the Android Developers website, BleepingComputer found. Furthermore, Google updated its app security guidance to reflect the findings, as well.

The vulnerability was dubbed “Dirty Stream”.

More from TechRadar Pro

Android has a worrying security flaw, so users need to update now
Here's a list of the best firewalls around today
These are the best endpoint security tools right now

Windows Central
A new third-party app will help Windows 11 users hide the Start menu's 'dysfunctional' Search bar
TranslucentSM is a new app designed to help Windows 11 users spruce up the aesthetic appeal of the Start menu. The app will help you configure the opacity of the Start menu in Windows 11 and hide the Search bar.
TechRadar
Intel Thunderbolt Share arrives with some truly neat tricks for two PCs sharing files, or a monitor, or even the same mouse and keyboard
Thunderbolt Share app makes file and screen sharing between two PCs dead easy, and dead fast.
Yahoo Canada Style
Best Buy's early summer sale is on now — save up to $1,040 on laptops, TVs, smart watches and more
Over 1,800 items are included in Best Buy's early summer sale, including top deals from KitchenAid, Garmin and more.
Yahoo Finance
Apple’s iPad Pro is its most incredible product, but software holds it back
Apple's iPad Pro is an amazing piece of technology, but it needs the software to keep up.
Malay Mail
Why keep UiTM open only to Bumiputera? Protesting students say poor Malay students have nowhere else to turn to
SHAH ALAM, May 17 — Yesterday was the culmination of a protest organised by the Universiti Teknologi Mara (UiTM) Student...
KameraOne
Airport ground worker falls from plane when bungling colleagues remove steps
A woman at Jakarta Airport in Indonesia filmed employees removing the gangway from a plane. However, the door of the aircraft was still open.
Malay Mail
In Johor, two cops dead, one injured after man attacks police station
JOHOR BARU, May 17 — Two policemen were killed while another was injured after an unidentified assailant attacked them a...
The Independent
Taiwan’s parliament descends into chaos and punch-ups between MPs in ugly scenes during debate
Brawl comes just days before president-elect Lai Ching-te is set to take office
People
Nick Jonas Reveals Newly Shaved Head in Cute Picture with Daughter Malti in Dublin
The Jonas Brothers singer is currently in Ireland filming a new movie
People
The Decapitated Head of a Doctor Was Found Off a Md. Road. The Killer? His Son
Ravi Pansuriya was sentenced to life in prison without parole
NextShark
International student allegedly maxes out $140K credit before fleeing to China
A screenshot of a post describing how an international student fled the U.S. to return to China after maxing out their credit cards has gone viral on Reddit. The purported student said they exhausted their credit cards from various banks, including Chase, Citibank and American Express. The student, who claimed to be graduating from university, reportedly incurred a total debt of $140,000 — equivalent to roughly 1 million yuan — using personal and business cards.
Malay Mail
How to eat 'cendol', poached chicken, Hainanese chicken chop and more on a day trip to Ipoh
IPOH, May 16 — Ideally, my perfect weekend would be just total rest and relaxation. Especially when it’s been a harrowin...
People
Ben Affleck and Jennifer Lopez Not Photographed Together Publicly for 47 Days amid Reports of Tension
The couple, who were originally together from 2002 to 2004, reunited in 2021 and married the following year
The Telegraph
Man City could become greatest Premier League side – but 115 charges are inescapable
A Manchester City win on Sunday will erase any doubts about their and Pep Guardiola’s places in English football history.
NextShark
Singapore's new PM promises change, says he'll 'never settle for the status quo'
Singapore's new Prime Minister Lawrence Wong has pledged to chart a distinct course for the nation’s future while upholding the legacy of his predecessors. Wong, 51, was sworn into office on May 15, becoming Singapore's fourth prime minister. Singaporean President Tharman Shanmugaratnam appointed Wong to succeed Lee Hsien Loong, marking the end of the Lee dynasty's half-century reign.
Cosmopolitan
Prince Harry Reveals His and Meghan Markle's Travel Plans After Nigeria Trip
"There's only so much one can do from home and over Zoom," the duke said while speaking of his and Meghan Markle's upcoming adventures.
Cosmopolitan
King Charles Is "Bulking Up" Royals With Princess Beatrice as "Fresh Blood"
King Charles is said to be bulking up the royal family with Princess Beatrice as "fresh blood."
The Independent
Prince Laurent: ‘Belgium’s Prince Harry’ set to quit royal family for dream life abroad
‘I don’t compare myself to Prince Harry. But I would like to start a new life,’ he said.
Cinema Online
DOLLA's Syasya to fly abroad with husband after Eid Al-Adha
Actress grandma Rozie Othman says that the singer's husband will be pursuing his studies overseas
Malay Mail
PAS wants Home Ministry to explain why cops failed to thwart attack on Ulu Tiram police station
KUALA LUMPUR, May 17 — PAS has questioned the security preparedness of Malaysia’s civil forces after the attack on the U...

Dirty Stream

More from TechRadar Pro

Latest stories