Check Point Research said there was a design error in the Android Sandbox that allows remote storage to be used as a avenue for cyber attacks.
These attacks can lead to unwanted results, such as silent installation of unsolicited, potentially harmful apps to the
user's phone. They may be used to deny the legitimate apps service. They can even cause applications to crash,
opens the potential code injection door which can then run in the privileged context of the attacked program.
These "Man-in-the-Disk" attacks are made possible when applications are unclear about the use of shared storage space that does not have Android sandbox protection and fail to use security measures on their own, said Check Point. The company talked about the survey at the Defcon hacker event in Las Vegas today.
The Android operating system has two types of storage: internal storage, as each application uses
separately and is separated by Android Sandbox; and external storage, often over an SD card or logical partition within device storage, shared by all applications.
External storage is mainly used to share files between programs. For example, for a message app to send an image from one person to another, the application must have access to media files stored in external storage.
There are other reasons why an app developer would choose to use external storage instead of the internal sandbox. These reasons are due to insufficient capacity in internal storage, backward compatibility with older devices, or not that the app seems to use too much space for just laziness on the developer's side.
For any reason, when using external storage, certain precautions are required. Google's Android documentation states that program developers are informed about how to use remote storage in their apps. Some of these policies include making validation tests, not saving executables on remote storage, and making sure the files are signed and cryptographically verified before loading.
"However, we have seen some examples where Google and other Android vendors do not follow these guidelines," said Check Point. "And here is the Man-in-the-Disk attack surface that allows you to attack an app as careless keeps data in remote storage. "
In such attacks an app downloads, updates or receives data from a server. It is sent through external storage and then sent to the app itself.
Attackers can enter and mix with data stored on external storage. By using an innocent app downloaded by the user, the attacker can monitor data transferred between other apps and external storage and overwrite it with other data.
By downloading the attacker's innocent & # 39; app, the user would be prompted to allow the app permission to access external storage, which is quite normal for apps to request. The attacker's malicious code will then start monitoring external storage and all data held r.
In this way, the attacker has a "Man-in-the-Disk" looking for ways to cancel traffic and information required by the user's other existing apps to manipulate them or make them crash.
The results of the attacks may vary, depending on the attacker's desire and expertise. Checkpoint demonstrated the ability to install an unwanted program in the background without the user's permission. It can also crash an app and inject code to hijack the permissions given to the attacked program. Then it could escalate privileges and access other parts of the user's device, such as the camera, microphone, contact list, and so on.
Among the programs tested for this new attack surface were Google Translate, Yandex Translate, Google Voice Writing, LG Application Manager, LG World, Google Text-to-Speech, and Xiaomi Browser.
In the case of Google Translate, Yandex Translate and Google Voice Typing, the developers ignored a guideline listed above, which meant certain files required by the apps may be compromised by the attack, resulting in crash of the application. The LG Application Manager and LG World failed to comply with the other guidelines mentioned above, which makes them vulnerable to an attacker downloading unannounced apps installed through them.
Finally, Google Text to Speech and Xiaomi Browser allowed the man-in-the-disk to root and resulted in overwriting their APK files.
"While it is clear that these design deficiencies allow Android users to potentially be exposed to cyber threats, it's less clear who's actually wrong and where the responsibility lies in fixing them," said Check Point. "On the one hand, although Android developers have created app developers guidelines for how to make sure their apps are safe, they must also be aware that developers are not building
their applications with certainty in mind. On the other hand, and being aware of this foregone knowledge, is there more Android that can do to protect the operating system and the devices that use it? "