Man in the disk attack
Security researchers at Check Point Software Technologies have discovered a new attack vector against the Android operating system that could potentially allow attackers to silently infect your smartphones with malicious apps or launch denial of service attacks.
Dubbed Man-in-the-Disk, the attack takes advantage of the way Android apps utilize 'External Storage' system to store app-related data, which if tampered could result in code injection in the privileged context of the targeted application.
It should be noted that apps on the Android operating system can store its resources on the device in two locations—internal storage and external storage.
Google itself offers guidelines to Android application developers urging them to use internal storage, which is an isolated space allocated to each application protected using Android's built-in sandbox, to store their sensitive files or data.
However, researchers found that many popular apps—including Google Translate itself, along with Yandex Translate, Google Voice Typing, Google Text-to-Speech, Xiaomi Browser were using unprotected external storage that can be accessed by any application installed on the same device.
How Android Man-in-the-Disk Attack Works?
Similar to the "man-in-the-middle" attack, the concept of "man-in-the-disk" (MitD) attack involves interception and manipulation of data being exchanged between external storage and an application, which if replaced with a carefully crafted derivative "would lead to harmful results."
For instance, researchers found that Xiaomi web browser downloads its latest version on the external storage of the device before installing the update. Since app fails to validate the integrity of the data, the app's legitimate update code can be replaced with a malicious one.
In this way, attackers can get a man-in-the-disk position, from where they can monitor data transferred between any other app on the user's smartphone and the external storage and overwrite it with their own malicious version in order to manipulate or crash them.
The attack can also be abused to install another malicious app in the background without the user's knowledge, which can eventually be used to escalate privileges and gain access to other parts of the Android device, like camera, microphone, contact list, and more.
Among the apps that Check Point researchers tested for this new MitD attack were Google Translate, Yandex Translate, Google Voice Typing, LG Application Manager, LG World, Google Text-to-Speech, and Xiaomi Browser.
Another new popular app that just had it's way to android, is Fortnite, also found to be vulnerable to MITD attack and since EPIC is bypassing Google play store and require you to side load the app which may compromise all the devices owning this game. An attacker can watch a specific app's External Storage space and tamper with the data stored in this storage space because this space is shared by all apps.
The Fortnite app is vulnerable to this attack because the app does not contain the actual game, but is merely an installer. Once users install the app, this installer uses the device's External Storage space to download and install the actual game.
"Any app with the WRITE_EXTERNAL_STORAGE permission can substitute the APK immediately after the download is completed and the fingerprint is verified. This is easily done using a FileObserver. The Fortnite Installer will proceed to install the substituted (fake) APK, If the fake APK has a targetSdkVersion of 22 or lower, it will be granted all permissions it requests at install-time. This vulnerability allows an app on the device to hijack the Fortnite Installer to instead install a fake APK with any permissions that would normally require user disclosure.
The Fortnite app is vulnerable to this attack because the app does not contain the actual game, but is merely an installer. Once users install the app, this installer uses the device's External Storage space to download and install the actual game.
"Any app with the WRITE_EXTERNAL_STORAGE permission can substitute the APK immediately after the download is completed and the fingerprint is verified. This is easily done using a FileObserver. The Fortnite Installer will proceed to install the substituted (fake) APK, If the fake APK has a targetSdkVersion of 22 or lower, it will be granted all permissions it requests at install-time. This vulnerability allows an app on the device to hijack the Fortnite Installer to instead install a fake APK with any permissions that would normally require user disclosure.
Google, which itself doesn't follow its security guidelines, acknowledged and fixed some affected applications and is in the process of fixing other vulnerable apps as well, Check Point said.
Besides Google, the researchers also approached the developers of other vulnerable applications as well, but some, including, Xiaomi declined to fix the issue, according to the researchers.
The researchers stressed they only tested a small number of major applications and therefore expect the issue affects a more significant number of Android apps than what they explicitly noted, leaving millions of Android users potentially vulnerable to cyber threats.
Video demonstrating how the attack works
Besides Google, the researchers also approached the developers of other vulnerable applications as well, but some, including, Xiaomi declined to fix the issue, according to the researchers.
The researchers stressed they only tested a small number of major applications and therefore expect the issue affects a more significant number of Android apps than what they explicitly noted, leaving millions of Android users potentially vulnerable to cyber threats.
Video demonstrating how the attack works
Comments
Post a Comment