Check Point researchers discovered a new attack surface for Android applications that leverages external storage, dubbed Man-in-the-Disk attacks.
Android devices make use of both internal storage in which each application uses separately and is segregated by the Android Sandbox, and external storage, which is often done over an SD card or by a logical partition within the device's storage that is shared by all applications but doesn't use Android's built-in Sandbox protection, researchers said in an Aug. 12 blog post.
Because external storage data isn't protected, an attacker can use it as an access point to meddle and manipulate data stored there.
If an application makes careless use of the external storage it may allow the silent installation of unrequested malicious apps, denial of service for legitimate apps, or cause applications to crash leading to code injection attacks.
Researchers witnessed instances in which an app was downloaded, updated, or received data from the app provider's server, which passed through the external storage before being sent on to the app itself making the data vulnerable to an attacker looking to manipulate the data before the app reads it again.
Attackers could exploit this flaw using a seemingly innocent application containing the exploit script that once downloaded, would ask the user's permission to access the external storage.
“External storage, something which is perfectly normal for apps to request, and is unlikely to raise suspicion on the user's behalf,” researchers said in the post. “From that point on, the attacker is able to monitor data transferred between any other app on the user's device and the external storage, and overwrite it with his own data in a timely manner, leading to the unwelcome behavior of the attacked application.”
App developers looking to responsibly use external storage over regular sandboxed storage are recommended to perform input validation when handling data from external storage, not store executables or class files on External Storage, and ensure external storage files are signed and cryptographically verified prior to dynamic loading.
Researchers tested Google Translate, Yandex Translate, Google Voice Typing, Google Text-to-Speech, Xiaomi Browser and various additional applications to see if they were susceptible to this attack surface and found Google Translate, Yandex Translate and Google Voice Typing developers failed to validate the integrity of data read from the external storage.
Xiami Browser in particular used the external storage as a staging resource for application updates which enabled researchers to replace update code causing the installation of an alternative, undesired application instead of the legitimate update.
Check Point researchers notified Google, Xiaomi and vendors of other vulnerable applications to the vulnerabilities. Google has released a fix for its applications but Xiaomi chose not to address the issue at this time.
Users should also keep in mind that researchers only examined a small sample of applications and that many more could be vulnerable to these attacks.