Microsoft has revealed a new critical security flaw that could affect numerous known Android apps. Called “Dirty Stream”, this vulnerability represents a serious threat and can give attackers the ability to take control of apps and steal valuable user information.
“Dirty Stream” is an attack that, ironically, takes advantage of how Android prevents access to private information between apps. All smartphones present do so in isolation, with their own memory space, to prevent others from reading information from the user's data.
The worst part of this information is that, according to Microsoft's calculations, apps vulnerable to this attack number in the billions. Among these proposals is Xiaomi's file management app, which comes pre-installed on all its smartphones and on those from Redmi and POCO.
The problem happens when apps use this system incorrectly. If Android programmers make mistakes in implementing this safe space, they open the door to any malicious app by sending them what appears to be a file but is actually code execution. It can take control, either by installing other apps or stealing data and sending it to attackers.
Microsoft researchers discovered that this incorrect implementation is very common and many apps available on the Google Play Store have this error present. This includes the Xiaomi file app or the WPS Office app, one of the most popular alternatives to Microsoft Office and Google Docs.
At least, both Xiaomi and WPS responded to Microsoft researchers and have already resolved the problem in their apps. However, there are still an unknown number of apps that still have this flaw. For this reason, Google has already modified the Android documentation so that programmers can use it.
For users, the only way to stay safe is to ensure that their apps are updated. The developers of the affected apps should soon start releasing more fixes, which should immediately be applied to Android.
