A number of well-liked Android purposes obtainable in Google Play Retailer are prone to a path traversal-affiliated vulnerability that might be exploited by a malicious app to overwrite arbitrary information within the susceptible app’s residence listing.
“The implications of this vulnerability pattern include arbitrary code execution and token theft, depending on an application’s implementation,” Dimitrios Valsamaras of the Microsoft Menace Intelligence staff stated in a report revealed Wednesday.
Profitable exploitation might permit an attacker to take full management of the appliance’s habits and leverage the stolen tokens to realize unauthorized entry to the sufferer’s on-line accounts and different knowledge.
Two of the apps that had been discovered susceptible to the issue are as follows –
- Xiaomi File Supervisor (com.mi. Android.globalFileexplorer) – Over 1 billion installs
- WPS Workplace (cn.wps.moffice_eng) – Over 500 million installs
Whereas Android implements isolation by assigning every utility its personal devoted knowledge and reminiscence area, it gives what’s referred to as a content material supplier to facilitate knowledge and file sharing between apps in a safe method. However implementation oversights might allow bypassing of learn/write restrictions inside an utility’s residence listing.
“This content provider-based model provides a well-defined file-sharing mechanism, enabling a serving application to share its files with other applications in a secure manner with fine-grained control,” Valsamaras stated.
“However, we have frequently encountered cases where the consuming application doesn’t validate the content of the file that it receives and, most concerning, it uses the filename provided by the serving application to cache the received file within the consuming application’s internal data directory.”
This pitfall can have severe penalties when a serving app declares a malicious model of the FileProvider class in an effort to allow file sharing between apps, and finally trigger the consuming utility to overwrite vital information in its personal knowledge area.
Put otherwise, the mechanism takes benefit of the truth that the consuming app blindly trusts the enter to ship arbitrary payloads with a selected filename by way of a customized, specific intent and with out the consumer’s data or consent, resulting in code execution.
Consequently, this might allow an attacker to overwrite the goal app’s shared preferences file and make it talk with a server beneath their management to exfiltrate delicate data.
One other situation includes apps that load native libraries from its personal knowledge listing (as a substitute of “/data/app-lib”), through which case a rogue app might exploit the aforementioned weak point to overwrite a local library with malicious code that will get executed when the library is loaded.
Following accountable disclosure, each Xiaomi and WPS Workplace have rectified the problem as of February 2024. Microsoft, nonetheless, stated the problem might be extra prevalent, requiring that builders take steps to examine their apps for related points.
Google has additionally revealed its personal steering on the matter, urging builders to correctly deal with the filename supplied by the server utility.
“When the client application writes the received file to storage, it should ignore the filename provided by the server application and instead use its own internally generated unique identifier as the filename,” Google stated. “If generating a unique filename is not practical, the client application should sanitize the provided filename.”
