Microsoft has detected a new vulnerability called “Dirty Stream” that could allow malicious Android apps to overwrite files in other applications’ home directories, potentially leading to arbitrary code execution and data theft. This vulnerability stems from the improper use of Android’s content provider system, designed to manage access to shared data sets among different applications. Despite built-in security measures like data isolation and path validation, incorrect implementations of custom intents can bypass these protections, posing a significant threat to Android app security.
The flaw enables malicious apps to manipulate filenames or paths in a file sent to another app via a custom intent, tricking the target app into executing or storing the file in a critical directory. This abuse of the data stream between apps transforms a common OS-level function into a weaponized tool, posing risks of unauthorized code execution and data theft. Unfortunately, these vulnerable implementations are widespread, affecting apps with over four billion installations, highlighting the extensive attack surface present in Android ecosystems.
Microsoft’s research identified several vulnerable applications, including Xiaomi’s File Manager and WPS Office, each with billions of installations. Both companies collaborated with Microsoft to deploy fixes and mitigate the risks posed by the vulnerability. To prevent similar vulnerabilities in future builds, Microsoft shared its findings with the Android developer community and updated its app security guidance to address common implementation errors in the content provider system.
For end-users, the primary defense against such vulnerabilities lies in keeping their apps updated and refraining from downloading applications from unofficial or poorly vetted sources. By staying vigilant and adhering to best practices, users can minimize their exposure to potential security risks associated with the “Dirty Stream” vulnerability.