May 2, 2024 at 12:05PM
A novel attack called “Dirty Stream” exploits an Android flaw to manipulate file transfers between apps, potentially enabling unauthorized code execution and data theft. Microsoft research warns of over four billion affected app installations, highlights vulnerable apps like Xiaomi’s File Manager and WPS Office, and urges developers to address the issue. Google has updated its security guidance in response.
The meeting notes highlighted the “Dirty Stream” attack, which exploits the improper use of Android’s content provider system. This vulnerability could potentially lead to arbitrary code execution and secrets theft in Android apps. Microsoft has identified several vulnerable applications in the Google Play Store, including Xiaomi’s File Manager and WPS Office, impacting apps installed over four billion times. Both companies collaborated with Microsoft to deploy fixes, and Microsoft’s findings were shared with the Android developer community. Google also updated its app security guidance to address common implementation errors in the content provider system. For end users, it’s recommended to keep apps updated and avoid downloading from unofficial sources to mitigate the risk of exploitation.