Cybersecurity researchers at Check Point Software Technologies have discovered a new flow in the way Android applications use storage resources. Dubbed Man-in-the-Disk, the flow can open door to a cyberattack on the Android device.
The attack can occur when the user carelessly uses the External Storage for apps. Android operating system comes with Internal and External Storage. The Internal Storage is separately used by each application and is segregated by Android Sandbox. Whereas, the External Storage is shared across all the applications and doesn’t utilize Android’s built-in sandbox protection.
If the user fails to implement security precautions, the Man-in-the-Disk attack vulnerability can allow attackers to enter and compromise the data stored on External Storage. It can result in installation of malicious apps on the device, denial of service for legitimate apps, crash the apps, and open door to malicious code injection.
In a blog post, Check Point explained, “Through our research analysis we have witnessed cases where an app was downloaded, updated or received data from the app provider’s server, which passed through the External Storage before being sent on to the app itself.”
“Such practice offers an opportunity for an adversary to manipulate the data held in the External Storage before the app reads it again.”
The researchers also found that this vulnerability can allow attackers to install an undesired app in the background without the permission of user. When an application is crashed, the attacker can inject malicious code to enable all the permissions to escalate his own privileges and then access the other services on the phone like camera, contact list, microphone, etc.
Android users might think that such attacks can occur only with the apps developed by third-party developers. However, Check Point tested the new flow on Google Translate, Yandex Translate, Google Voice Typing, Google Text-to-Speech, Mi Browser, and several other apps.
Check Point informed the vendors about the vulnerability, and Google has already fixed it. Xiaomi chose not to address it this time.
Although the Android app development guidelines state that use of external storage should be avoided in this way, but the developers allow users to grant permission for External Storage due to lack of capacity in Internal Storage, compatibility issues with older devices, not wanting an app to use too much space, etc.