Researchers from Microsoft just lately found many Android purposes — together with at the very least 4 with greater than 500 million installations every — to be susceptible to remote-code execution assaults, token theft, and different points due to a typical safety weak spot.
Microsoft knowledgeable Google’s Android safety analysis workforce of the issue and Google has printed new steering for Android app builders on how one can acknowledge and remediate the problem.
Billions of Installations at Threat of Compromise
Microsoft has additionally shared its findings with distributors of affected Android apps on Google’s Play retailer. Amongst them have been Xiaomi Inc.’s File Supervisor product, which has greater than 1 billion installations, and WPS Workplace with some 500 million downloads.
Microsoft stated distributors of each merchandise have already mounted the problem. But it surely believes there are extra apps on the market which are fallible to take advantage of and compromise due to the identical safety weak spot. “We anticipate that the vulnerability sample may very well be present in different purposes,” Microsoft’s risk intelligence workforce stated, in a weblog submit this week. “We’re sharing this analysis so builders and publishers can examine their apps for comparable points, repair as acceptable, and stop introducing such vulnerabilities into new apps or releases.”
The problem that Microsoft found impacts Android purposes that share recordsdata with different purposes. To facilitate the sharing in a safe method, Android implements a so-called “content material supplier” characteristic that principally acts as an interface for managing and exposing an app’s information to different put in purposes on a tool, Microsoft stated. An app that should share its recordsdata — or a file supplier in Android communicate — declares the precise paths that different apps can use to get to the info. File suppliers additionally embody an figuring out characteristic that different apps can use as an tackle to search out them on a system.
Blind Belief & Lack of Content material Validation
“This content material provider-based mannequin offers a well-defined file-sharing mechanism, enabling a serving utility to share its recordsdata with different purposes in a safe method with fine-grained management,” Microsoft stated. Nonetheless, in lots of circumstances when an Android app receives a file from one other app, it doesn’t validate the content material. “Most regarding, it makes use of the filename offered by the serving utility to cache the acquired file inside the consuming utility’s inner information listing.”
This offers attackers a gap to create a rogue app that may ship a file with a malicious filename on to a receiving app — or file share goal — with out the consumer’s information or approval, Microsoft stated. Typical file share targets embody e mail purchasers, messaging apps, networking apps, browsers, and file editors. When a share goal receives a malicious filename, it makes use of the filename to initialize the file and set off a course of that might finish with the app getting compromised, Microsoft stated.
The potential impression will fluctuate relying on an Android utility’s implementation specifics. In some circumstances, an attacker may use a malicious app to overwrite a receiving app’s settings and trigger it to speak with an attacker-controlled server, or get it to share the consumer’s authentication tokens and different information. In different conditions, a malicious utility may overwrite malicious code right into a receiving app’s native library to allow arbitrary code execution. “Because the rogue app controls the title in addition to the content material of the file, by blindly trusting this enter, a share goal might overwrite essential recordsdata in its non-public information house, which can result in critical penalties,” Microsoft stated.
Each Microsoft and Google have offered tricks to builders on how one can keep away from the problem. Finish customers, in the meantime, can mitigate the danger by making certain their Android apps are updated and by solely putting in apps from trusted sources.
