Android Flaw Affected Apps With 4 Billion Installs

Written by

Microsoft’s research team has unearthed a concerning vulnerability pattern in numerous popular Android applications, posing significant security risks to billions of users worldwide. 

The identified vulnerability pattern, linked to path traversal, enables a malicious application to manipulate files within the vulnerable app’s home directory.

The impact of this vulnerability reportedly extended to several widely used applications found on the Google Play Store, with over four billion installations collectively. 

In a technical blog post published on Wednesday, Microsoft stressed the importance of industry collaboration in addressing evolving threats, highlighting the need for developers to scrutinize their apps for similar vulnerabilities and take prompt action to rectify them.

In response to this discovery, the company said it followed responsible disclosure procedures and collaborated with application developers, such as Xiaomi and WPS Office, to implement fixes. These efforts resulted in deployed fixes for the identified vulnerabilities as of February 2024.

Read more on Android security: GoldDigger Android Trojan Drains Victim Bank Accounts

Furthermore, Microsoft took proactive steps to raise awareness among developers, partnering with Google to publish guidance on the Android Developers website. This initiative aims to equip developers with the knowledge to prevent the introduction of such vulnerabilities in their applications.

Microsoft also elaborated on the vulnerability pattern, particularly its prevalence in Android share targets. Through a detailed case study involving Xiaomi’s File Manager, Microsoft illustrates the potential severity of the issue, including scenarios where attackers could execute arbitrary code and gain access to sensitive credentials stored on the device.

“To prevent these issues, when handling file streams sent by other applications, the safest solution is to completely ignore the name returned by the remote file provider when caching the received content,” reads the technical post.

“Some of the most robust approaches we encountered use randomly generated names, so even in the case that the content of an incoming stream is malformed, it won’t tamper with the application.”

Image credit: Gabo_Arts / Shutterstock.com

What’s hot on Infosecurity Magazine?