Security researchers at Check Point Software Technologies have
discovered a new attack vector against the Android operating system that
could potentially allow attackers to silently infect your smartphones
with malicious apps or launch denial of service attacks.
Dubbed Man-in-the-Disk, the attack takes advantage of the way
Android apps utilize 'External Storage' system to store app-related
data, which if tampered could result in code injection in the privileged
context of the targeted application.
It should be noted that apps on the Android operating system can store its resources on the device in two locations—internal storage and external storage.
Google itself offers guidelines to Android application developers urging
them to use internal storage, which is an isolated space allocated to
each application protected using Android's built-in sandbox, to store
their sensitive files or data.
However, researchers found that many popular apps—including Google Translate itself, along with Yandex Translate, Google Voice Typing, Google Text-to-Speech, Xiaomi Browser—were using unprotected external storage that can be accessed by any application installed on the same device.
Similar to the "man-in-the-middle" attack, the concept of "man-in-the-disk" (MitD) attack involves interception and manipulation of data being exchanged between external storage and an application, which if replaced with a carefully crafted derivative "would lead to harmful results."
For
instance, researchers found that Xiaomi web browser downloads its
latest version on the external storage of the device before installing
the update. Since app fails to validate the integrity of the data, the
app's legitimate update code can be replaced with a malicious one.
In this way, attackers can get a man-in-the-disk position, from where they can monitor data transferred between any other app on the user's smartphone and the external storage and overwrite it with their own malicious version in order to manipulate or crash them.
It should be noted that apps on the Android operating system can store its resources on the device in two locations—internal storage and external storage.
However, researchers found that many popular apps—including Google Translate itself, along with Yandex Translate, Google Voice Typing, Google Text-to-Speech, Xiaomi Browser—were using unprotected external storage that can be accessed by any application installed on the same device.
How Android Man-in-the-Disk Attack Works?
Similar to the "man-in-the-middle" attack, the concept of "man-in-the-disk" (MitD) attack involves interception and manipulation of data being exchanged between external storage and an application, which if replaced with a carefully crafted derivative "would lead to harmful results."
"Xiaomi Browser was found to be using the External Storage as a staging resource for application updates," the researchers said in a blog post.
"As a result, our team was able to carry out an attack by which the application’s update code was replaced, resulting in the installation of an alternative, undesired application instead of the legitimate update."
In this way, attackers can get a man-in-the-disk position, from where they can monitor data transferred between any other app on the user's smartphone and the external storage and overwrite it with their own malicious version in order to manipulate or crash them.
The attack can also be abused to install another malicious app in the
background without the user's knowledge, which can eventually be used to
escalate privileges and gain access to other parts of the Android
device, like camera, microphone, contact list, and more.
No comments:
Post a Comment