Editor’s Note: We have updated this article to highlight the fact that the vulnerable apps in question have since been patched by their respective developers. Also, we’ve changed the headline to address that the apps themselves are not malicious and don’t need to be deleted. We’ll update this story as we learn more.
Microsoft is sounding the alarm about a recently discovered critical security vulnerability on Android named "Dirty Stream" that can let malicious apps easily hijack legitimate apps. Worse still, this flaw impacts multiple apps with hundreds of millions of installs. If you have one of the best Android phones, here's what you need to know to protect your data.
The vulnerability relates to the ContentProvider system prevalent across many popular Android apps, which manages access to structured data sets meant to be shared between different applications. It's basically what lets your Android apps talk to one another and share files. To protect users and ward off unauthorized access, the system includes safeguards such as strict isolation of data, unique permissions attached to specific URIs (Uniform Resource Identifiers), and path validation security.
According to Microsoft's alert, two vulnerable apps that have since been patched include Xiaomi Inc.’s File Manager (1B+ installs) and WPS Office (500M+ installs).
What makes the Dirty Stream vulnerability so devious is how it manipulates this system. Microsoft has found that hackers can create "custom intents," messaging objects that facilitate communication between components across Android apps, to bypass these security measures. By exploiting this loophole, malicious apps can send a file with a manipulated filename or path to another app using a custom intent, sneaking in harmful code disguised as legitimate files.
From there, a hacker could trick a vulnerable app into overwriting critical files within its private storage space — and the results can be devastating. As BleepingComputer put it, Dirty Stream essentially turns a common OS-level function into a weaponized tool to execute unauthorized code, steal data, and even hijack an app while the user is none the wiser.
"Arbitrary code execution can provide a threat actor with full control over an application’s behavior," Microsoft said in a security bulletin this week. "Meanwhile, token theft can provide a threat actor with access to the user’s accounts and sensitive data."
How widespread is this threat?
Microsoft’s investigation found that this vulnerability is not an isolated issue. The company uncovered incorrect implementations of the content provider system across many popular Android apps.
"We identified several vulnerable applications in the Google Play Store that represented over four billion installations," Microsoft explained. "We anticipate that the vulnerability pattern could be found in other applications."
Given the nature of how this vulnerability works, it's hard to know exactly how many other legitimate apps may have been impacted. But it's safe to assume this potential risk is on an industrial scale until all apps are patched.
How to stay safe from Android malware
When it comes to staying safe from Android malware, one of the easiest and simplest things you can do is to limit the number of apps on your phone. I know this may sound silly but think of it this way, the fewer apps you have, the less likely that one of them may turn out to be malicious. Before installing any new app, first ask yourself whether or not you actually need it.
From here, you want to make sure that you’re installing new security updates and patches as soon as they become available. These often fix vulnerabilities and zero-day flaws which can be used to launch attacks by hackers. While you can use an old phone for longer than you’d expect, it’s worth upgrading to a new device once your current phone isn’t receiving security updates any more, especially if you want to be on the safe side.
You also want to make sure that Google Play Protect is enabled on your device. This pre-installed app scans both your existing apps and any new ones you download for malware. Likewise, if you want extra protection and potentially even some extra features like a VPN or password manager, you also want to check out the best Android antivirus apps.
As ‘Dirty Stream’ is a very serious flaw, it’s likely that Google is already working on a fix as Microsoft would have shared any of the info it uncovered with the search giant before publishing its alert.
