Latest in Gear

Image credit:

Android exploit targeted apps' shoddy use of external storage

The 'man-in-the-disk' attack could install malware or block real apps.
Jon Fingas, @jonfingas
August 12, 2018
Share
Tweet
Share

Sponsored Links

Omar Marques/SOPA Images/LightRocket via Getty Images

Many mobile security flaws revolve around obvious avenues like websites or deep, operating system-level exploits. The security team at Check Point, however, has discovered another path: apps that make poor use of external storage like SD cards. While apps would ideally stick to internal storage (which Google sandboxes against outside influence) as much as possible, some apps have relied unnecessarily on unprotected external storage and didn't bother to validate the data coming from that space. An intruder could take advantage of that poor security policy to manipulate the data and cause havoc -- Check Point called it a "man-in-the-disk" attack.

An attack typically works by convincing the user to download a seemingly innocuous app that monitors the external storage use of legitimate software. When the legit apps check for updates, their hostile counterparts modify externally-stored content to perform a variety of sinister actions once it reaches the innocent programs. They can install malware instead of intended updates, flood phones with denial of service attacks or crash apps to inject harmful code.

And unfortunately, at least some of the apps found misusing storage were ones you've likely run at some point. Google's Translate, Voice Typing and Text-to-Speech apps all handled external storage badly, while common third-party apps like Xiaomi Browser and Yandex Translate also fell short. "Various additional applications" also had problems, Check Point said.

Google and other vendors have either fixed or are fixing their apps as we write this. The problem, as you might surmise, is that a security firm can't verify every Android app to make sure it uses external storage properly. And since Android doesn't have native protection for data held in external storage, there's no universal fix at the moment. The best current defense is to avoid downloading strange apps and update trustworthy apps as often as possible.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

The 2020 Engadget Holiday Gift Guide

The 2020 Engadget Holiday Gift Guide

View
The Arecibo Observatory's telescope has collapsed

The Arecibo Observatory's telescope has collapsed

View
The second-gen Eve V may take on the Surface Pro again in 2021

The second-gen Eve V may take on the Surface Pro again in 2021

View
The Snapdragon 888 is Qualcomm's latest premium CPU for smartphones

The Snapdragon 888 is Qualcomm's latest premium CPU for smartphones

View
Watch the trailer for Studio Ghibli's first fully CG movie

Watch the trailer for Studio Ghibli's first fully CG movie

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr