Popular Android Apps Like Xiaomi, WPS Office Vulnerable to File Overwrite Flaw

Avatar
Several popular Android applications available in Google Play Store are susceptible to a path traversal-affiliated vulnerability that could be exploited by a malicious app to overwrite arbitrary files in the vulnerable app’s home directory. “The implications of this vulnerability pattern include arbitrary code execution and token theft, depending on an application’s&nbsp
[[{“value”:”

Several popular Android applications available in Google Play Store are susceptible to a path traversal-affiliated vulnerability that could be exploited by a malicious app to overwrite arbitrary files in the vulnerable app’s home directory.

“The implications of this vulnerability pattern include arbitrary code execution and token theft, depending on an application’s implementation,” Dimitrios Valsamaras of the Microsoft Threat Intelligence team said in a report published Wednesday.

Successful exploitation could allow an attacker to take full control of the application’s behavior and leverage the stolen tokens to gain unauthorized access to the victim’s online accounts and other data.

Two of the apps that were found vulnerable to the problem are as follows –

Xiaomi File Manager (com.mi. Android.globalFileexplorer) – Over 1 billion installs
WPS Office (cn.wps.moffice_eng) – Over 500 million installs

While Android implements isolation by assigning each application its own dedicated data and memory space, it offers what’s called a content provider to facilitate data and file sharing between apps in a secure manner. But implementation oversights could enable bypassing of read/write restrictions within an application’s home directory.

“This content provider-based model provides a well-defined file-sharing mechanism, enabling a serving application to share its files with other applications in a secure manner with fine-grained control,” Valsamaras said.

“However, we have frequently encountered cases where the consuming application doesn’t validate the content of the file that it receives and, most concerning, it uses the filename provided by the serving application to cache the received file within the consuming application’s internal data directory.”

This pitfall can have serious consequences when a serving app declares a malicious version of the FileProvider class in order to enable file sharing between apps, and ultimately cause the consuming application to overwrite critical files in its private data space.

Put differently, the mechanism takes advantage of the fact that the consuming app blindly trusts the input to send arbitrary payloads with a specific filename by means of a custom, explicit intent and without the user’s knowledge or consent, leading to code execution.

As a result, this could permit an attacker to overwrite the target app’s shared preferences file and make it communicate with a server under their control to exfiltrate sensitive information.

Another scenario involves apps that load native libraries from its own data directory (instead of “/data/app-lib”), in which case a rogue app could exploit the aforementioned weakness to overwrite a native library with malicious code that gets executed when the library is loaded.

Following responsible disclosure, both Xiaomi and WPS Office have rectified the issue as of February 2024. Microsoft, however, said the issue could be more prevalent, requiring that developers take steps to check their apps for similar issues.

Google has also published its own guidance on the matter, urging developers to properly handle the filename provided by the server application.

“When the client application writes the received file to storage, it should ignore the filename provided by the server application and instead use its own internally generated unique identifier as the filename,” Google said. “If generating a unique filename is not practical, the client application should sanitize the provided filename.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

“}]] The Hacker News 

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Ukrainian REvil Hacker Sentenced to 13 Years and Ordered to Pay $16 Million

Next Post

Hackers Increasingly Abusing Microsoft Graph API for Stealthy Malware Communications

Related Posts

FTC proposes tougher children’s data privacy rules for first time in a decade

The Federal Trade Commission (FTC) is proposing new restrictions on the use and disclosure of children’s personal data and wants to make it much harder for companies to exclude children from their services if they can’t monetize their data, the agency announced Wednesday.
Jason Macuray
Read More

Vietnam-Based Hackers Steal Financial Data Across Asia with Malware

A suspected Vietnamese-origin threat actor has been observed targeting victims in several Asian and Southeast Asian countries with malware designed to harvest valuable data since at least May 2023. Cisco Talos is tracking the cluster under the name CoralRaider, describing it as financially motivated. Targets of the campaign include India, China, South Korea, Bangladesh, Pakistan, Indonesia,
Avatar
Read More