Microsoft has identified a novel attack dubbed “Dirty Stream” that could allow malicious Android apps to overwrite files in another application’s home directory, potentially leading to arbitrary code execution and secrets theft. The flaw arises from the improper use of Android’s content provider system, which manages access to structured data sets meant to be shared between different applications.
The attack exploits incorrect implementations of custom intents, which are messaging objects that facilitate communication between components across Android apps. Examples of incorrect implementations include trusting unvalidated filenames and paths in intents, misuse of the ‘FileProvider’ component, and inadequate path validation.
Dirty Stream allows malicious apps to send a file with a manipulated filename or path to another app using a custom intent. The target app is misled into trusting the filename or path and executes or stores the file in a critical directory. This manipulation of the data stream between two Android apps turns a common OS-level function into a weaponized tool and can lead to unauthorized code execution, data theft, or other malicious outcomes.
Microsoft researcher Dimitrios Valsamaras noted that these incorrect implementations are abundant, impacting apps installed over four billion times and offering a massive attack surface. Two apps highlighted as vulnerable to Dirty Stream attacks are Xiaomi’s File Manager application, which has over a billion installations, and WPS Office, which counts around 500 million installs. Both companies were responsive to the findings and collaborated with Microsoft to deploy fixes to mitigate the risks posed by the vulnerability.
To prevent similar vulnerabilities in future builds, Microsoft shared its findings with the Android developer community through an article on the Android Developers website. Google also updated its app security guidance to highlight common implementation errors in the content provider system that allow security bypasses.
End users can protect themselves by keeping their apps up to date and avoiding downloading APKs from unofficial third-party app stores and other poorly vetted sources.
