Last week, Microsoft discovered a major security vulnerability in multiple Android apps that could be used to gain unauthorized access to apps and sensitive device data. Interestingly, this security flaw does not come from system codes, but from developers’ misuse of a particular system, which can lead to exploit-prone loopholes. Notably, the flaw was highlighted to Google and the tech giant took steps to inform the Android app developer community about the issue.
IN post In its security blog, the Microsoft Threat Intelligence team stated: “Microsoft has discovered a pattern of path traversal vulnerabilities in multiple popular Android apps that could allow a malicious app to overwrite files in the vulnerable app’s home directory.” The researchers also highlighted that the vulnerability was spotted in several apps on the Google Play Store that had a total of more than four billion installs.
This vulnerability occurs when a developer misuses Android’s content provider system, which is designed to provide data exchange between different applications on a device. This includes data isolation, URI permissions, path validation, and other security measures to stop unauthorized access by the applications or anyone else breaking into the application. However, the incorrect implementation of the system affects a component called user intent. These are the messaging objects that perform two-way communication between different applications. When this vulnerability exists, applications can ignore security measures and allow other applications (or hackers who control them) to access sensitive data stored within them.
In the event of an attack on the device, hackers can manipulate this vulnerability by accessing only one application, they can enter all such applications that contain this loophole. This allows bad actors to gain full control of the device or steal sensitive data, including financial information. In particular, the vulnerability was found in the Xiaomi File Manager and WPS Office applications. Microsoft said in its report that the developers behind both apps have investigated and fixed the issue.
Google also took note of the issue and published a post on its Android Developer Blog. The company highlighted common errors and ways to fix them. The developers of the affected apps are expected to fix the issues in the coming days and release a patch. While there is not much that end users can do to avoid this vulnerability, it is recommended that they remain proactive in updating the applications on their devices and avoid downloading applications from third-party sources for the time being.
For the latest tech news and reviews follow Gadgets 360 on x, Facebook, WhatsApp, threads and Google News. For the latest videos on gadgets and technology, subscribe to our YouTube channel. If you want to know all about the best influencers, follow our insiders Who is this360 On Instagram and YouTube.
Sony drops requirement to link Helldivers 2 PSN accounts to Steam after widespread backlash
https://www.gadgets360.com/apps/news/microsoft-dirty-stream-security-vulnerability-android-apps-billions-of-downloads-5599430#rss-gadgets-all
