Android apps can be hacked and hijacked via external storage manipulation, cybersecurity firm Check Point reports, citing its latest findings that center on a new attack technique aimed at exploiting apps that don’t manage storage resources in a responsible manner. Successful use of the newly discovered attack vector would allow malicious individuals and entities to compromise devices with silent installations of malware and similar software meant to either spy on users, hijack their devices for the purpose of adding them to a botnet, or perform a wide variety of other harmful acts.
While Google has been protecting Android users with sandboxing mechanisms for several years now, the newly detailed attacks work because external storage isn’t encompassed by that protection. Check Point is referring to the technique as a “Man-in-the-Disk” attack that allows hackers to meddle with the contents of one’s external storage while certain apps are running, allowing them to inject malicious code into vulnerable devices. The vulnerability is usually exploited during an update process when the app that’s being used as an attack vector is already expected to write to the external storage of the device, i.e. its microSD card. From there, the attacker is able to take preemptive measures to prevent the malicious code from being deleted while continuing to monitor user data transfers or control the compromised device.
Check Point demonstrated the seriousness of the vulnerability by using it to target Google Translate, Google Voice Typing, and Yandex Translate apps, rendering them inoperable by corrupting files via a Man-in-the-Disk attack. Xiaomi Browser was exploited to an even larger degree, with Check Point’s team successfully replacing a legitimate update with an undesirable app the user never agreed to install. Google already patched the vulnerability but Xiaomi opted to ignore it for the time being due to unspecified reasons, Check Point reports. The cybersecurity firm is warning that its findings imply careless external storage management is a prevalent issue in the app industry given how its study only encompassed a small number of apps yet discovered numerous instances of such problems.