Last month, Microsoft discovered a “vulnerability pattern in multiple popular Android applications,” according to a post from Microsoft’s Threat Intelligence team. The flaw would allow bad actors to “trick a vulnerable app into overwriting critical files within its private storage space,” Android Authority also reported.
“We identified several vulnerable applications in the Google Play Store that represented over 4 billion installations,” Microsoft shared in its blog post.
Michael Peck, the principal security research lead at Microsoft, told IT Brew in an email that these types of vulnerabilities, known as “directory traversal vulnerabilities,” are “unfortunately widespread,” so much so that CISA published an alert diving into the ways threat actors are using directory traversal to infiltrate systems.
“However, Android sandboxes each app, protecting its data from other apps on the device, and we believe this vulnerability pattern is notable for enabling that protection to be bypassed,” he added.
After discovering the vulnerability, the team contacted the relevant app developers and worked with them to fix the issues, noting that they discovered the pattern in current versions of multiple Android apps on Google Play, “including at least four with more than 500 million installations each.”
Two such apps were Xiaomi’s File Manager app—ringing in at more than 1 billion installations—and WPS Office—with 500+ million installations. “We made disclosures to other vendors as well. Given our belief that this is a widespread pattern, we worked with Google security researchers to publish security guidance for app developers,” Peck said.
“Imagine you have popular apps like Google Photos and Instagram [to share] photos. Normally, this process is safe because both apps check the file names and paths to ensure everything is OK,” Javad Abed, a researcher and assistant professor of IT and information systems at Johns Hopkins’ Carey Business School, told IT Brew. “However, with the ‘Dirty Stream’ vulnerability, a malicious app could send a fake photo file that tricks Instagram into thinking it’s a legitimate image from Google Photos. This could allow hackers to access your private photos, personal information—and even control your Instagram accounts.”
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“Fortunately, both companies [Xiaomi and Kingsoft—another affected developer] quickly released patches to fix the vulnerabilities, ensuring their users are protected once they updated the apps,” he added. Microsoft noted that the issue had been resolved as of this February.
In terms of security and prevention, AnnMarie Nayiga—the lead managed detection and response (MDR) analyst at Malwarebytes—advised users to not only keep their apps updated, but to also be aware of what’s happening in the background.
“We download apps a lot thinking that we’re going to need them, because everything requires an app these days,” she told IT Brew. “So your apartment has an app, your children’s school has an app, the thing that you bought in your house, your fridge has an app. And so sometimes we tend to collect a lot of things on our phones that we don’t realize what other processes they’re doing in the background, or what other apps they’re interacting with—or how they could be leveraged by attackers.”
IT Brew has reached out to Xiaomi and Kingsoft for comment.