Microsoft has revealed its discovered a serious security vulnerability that impacts countless Android applications, leading the possibility of valuable user data being stolen.
Microsoft has dubbed the security vulnerability "Dirty Stream" and explains the flaw can be traced back to a critical system that is responsible for the secure data exchange between different applications on a device. This system is also responsible for conducting handshake authorizations through safeguards such as the isolation of sensitive data, hiding any permissions that are attached to specific Uniform Resource Identifiers (URIs), and preventing any unauthorized access through validating file pathways.
Unfortunately, Microsoft has discovered a critical exploitation within the system, exposed by the incorrect use of "custom intents" which is a messaging system that Android apps use to communicate with different aspects of the app - essentially the messaging system used for all of the app components to talk to each other. The exploitation led to researchers discovering the sensitive areas of an app and a possible route for an attacker to seize total control of an app and harvest sensitive user data.
Two apps that together have more than one billion downloads were named in Microsoft's investigation were Xiaomi's File Manager app, one billion installations, and WPS Office, approximately 500 million installations.
"We identified several vulnerable applications in the Google Play Store that represented over four billion installations. We anticipate that the vulnerability pattern could be found in other applications. We're sharing this research so developers and publishers can check their apps for similar issues, fix as appropriate, and prevent introducing such vulnerabilities into new apps or releases," said Microsoft researcher Dimitrios Valsamaras