BleepingComputer reports that numerous Android apps with over four billion downloads are susceptible to the novel Dirty Stream attack, which involves the exploitation of a flaw in Android's content provider system that could enable arbitrary code execution and secrets compromise.
Vulnerable apps, including WPS Office and Xiaomi's File Manager, could be compromised via files with altered filenames or paths delivered by malicious apps that would be stored in the targeted apps' critical directories, a report from Microsoft showed. Aside from achieving arbitrary code execution, attackers using the Dirty Stream attack could also enable SMB or FTP credential retrieval from apps, according to researchers, which noted that both WPS Office and Xiaomi had already addressed the security issue.
"We anticipate that the vulnerability pattern could be found in other applications. We're sharing this research so developers and publishers can check their apps for similar issues, fix as appropriate, and prevent introducing such vulnerabilities into new apps or releases," said the report.
