Path Traversal Vulnerability In Popular Android Apps Let Attackers Overwrite Files

Hackers aim at well-known Android applications because many people use them, which means that when they attack, it can impact many users.

All these apps are rich in user data, which makes them even more lucrative for threat actors who may be looking forward to stealing personal details or spreading malware.

EHA

Recently, Microsoft identified a common path traversal vulnerability design in widely used Android apps. This vulnerability lets a malicious app overwrite files in the vulnerable apps’ home directories, leading to arbitrary code execution and token theft.

On Google Play Store, many vulnerable apps with more than four billion installs were found, and it is also expected to be present in other applications.

Microsoft has informed developers who were affected by this issue, helped them fix it, and partnered with Google to release recommendations for preventing such vulnerabilities.

Technical Analysis

The Android operating system enforces app isolation but provides the FileProvider component for secure file sharing between apps.

Document

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

However, improper FileProvider implementation can introduce vulnerabilities, enabling the bypassing of read and write restrictions within an app’s home directory. 

Share targets are Android apps that declare themselves to handle data and files sent by other apps, such as mail clients, social networking apps, messaging apps, file editors, browsers, etc. 

When a user clicks on a file, Android triggers a share-sheet dialog to select the receiving component.

The Android share sheet dialog (Source – Microsoft)

Suppose the sending app implements a malicious FileProvider version. In that case, it may cause the receiving app to overwrite critical files by exploiting the lack of validation on the received file’s content and using the provided filename to cache the file within the receiving app’s internal data directory.

Share targets can be exploited by a malicious Android app that creates a custom explicit intent to send a file directly to the share target’s file processing component without user approval.

The malicious app swaps in its own FileProvider implementation and gives the receiving share target app a filename it wrongly trusts.

Almost all reviewed share targets follow this flow:- 

  • Request the filename from the remote FileProvider
  • Use it to initialize a file and output stream
  • Create an input stream from the received content URI
  • Copy input to the output stream
Getting remote access to local shares (Source – Microsoft)

Because the rogue app controls both the filename and file content, sharing may lead to overwriting critical files in its private data space if this input is blindly trusted, which has serious consequences.

Microsoft found many well-known Android applications on the Google Play Store to contain a path traversal vulnerability, including Xiaomi’s File Manager and WPS Office, which have over 500 million installations each. 

Recommendations

Here below we have mentioned all the recommendations:-

  • Microsoft and Google offer guidance to Android developers on avoiding path traversal vulnerabilities.
  • Developers should handle filenames from remote sources carefully, using random names or strict validation.
  • Techniques like File.getCanonicalPath() and Uri.getLastPathSegment() should be used cautiously.
  • Keep mobile apps updated from trusted sources to receive vulnerability fixes.
  • For users who accessed shares through vulnerable Xiaomi app versions, reset credentials and monitor for irregularities.
  • Microsoft Defender for Endpoint on Android detects malicious apps, while Defender Vulnerability Management identifies apps with known vulnerabilities.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.