Microsoft has discovered a vulnerability pattern in multiple popular Android applications that could allow malicious apps to overwrite files in the vulnerable app’s home directory. This vulnerability could lead to arbitrary code execution and token theft, depending on the app’s implementation.
The implications of this vulnerability were found in several Android applications in the Google Play Store, totaling over four billion installations. Microsoft has shared this research to help developers and publishers identify and fix similar issues in their apps, as well as prevent introducing such vulnerabilities into new apps or releases. Collaboration among security researchers, vendors, and the security community is crucial to improving security for all platforms.
After discovering the issue, Microsoft notified application developers through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR) and worked with them to address the problem. Xiaomi, Inc. and WPS Office were among the teams that investigated and fixed the issue. Fixes have been deployed for the vulnerable apps, and users are advised to keep their devices and apps up to date.
To increase awareness among developers, Microsoft collaborated with Google to publish an article on the Android Developers website, providing guidance to help developers avoid this vulnerability pattern in their apps. The focus was on Android share targets, which are particularly susceptible to these types of attacks.
The vulnerability pattern involves improper implementation of content providers, particularly the FileProvider class, which enables file sharing between applications. By exploiting this vulnerability, threat actors could gain control over an app’s behavior or access a user’s accounts and sensitive data.
Microsoft’s research highlighted vulnerabilities in apps like Xiaomi Inc.’s File Manager and WPS Office, where arbitrary code execution was possible. By demonstrating how a malicious app could overwrite critical files, Microsoft aims to raise awareness and promote collaboration to enhance security for all users.
Developers are advised to follow best practices for handling file streams, validate incoming data properly, and use secure coding practices to prevent such vulnerabilities. Users should keep their apps updated and only download from trusted sources to avoid potential risks. Microsoft Defender for Endpoint on Android can help identify and alert users to malicious apps, while Microsoft Defender Vulnerability Management can identify apps with known vulnerabilities.
