An attack usually works by convincing the user to download an apparently innocent app that monitors remote storage using legitimate software. When legitimate apps look for updates, their hostile counterparts modify externally stored content to perform a variety of creepy actions when it reaches innocent programs. They can install malicious software instead of intended updates, flood phones that attack the service or crash applications to inject malicious code.
And unfortunately there were at least some of the apps that found abuse of storage those you've probably driven at some point. Google's translation, speech type, and text-to-speech apps handled external storage poorly while regular third-party apps like Xiaomi Browser and Yandex Translate also fell short. "Various add-ons" also had problems, said Check Point.
Google and other vendors have either solved or are fixing their apps as we write this. The problem, as you might assume, is that a security company can not verify all Android apps to ensure it is using external storage properly. And since Android does not have native protection for data stored in remote storage, there is currently no universal solution. The best current defense is to avoid downloading weird apps and updating trusted apps as often as possible.