Latest in Gear

Image credit: Omar Marques/SOPA Images/LightRocket via Getty Images

Android exploit targeted apps' shoddy use of external storage

The 'man-in-the-disk' attack could install malware or block real apps.
364 Shares
Share
Tweet
Share
Save

Sponsored Links

Omar Marques/SOPA Images/LightRocket via Getty Images

Many mobile security flaws revolve around obvious avenues like websites or deep, operating system-level exploits. The security team at Check Point, however, has discovered another path: apps that make poor use of external storage like SD cards. While apps would ideally stick to internal storage (which Google sandboxes against outside influence) as much as possible, some apps have relied unnecessarily on unprotected external storage and didn't bother to validate the data coming from that space. An intruder could take advantage of that poor security policy to manipulate the data and cause havoc -- Check Point called it a "man-in-the-disk" attack.

An attack typically works by convincing the user to download a seemingly innocuous app that monitors the external storage use of legitimate software. When the legit apps check for updates, their hostile counterparts modify externally-stored content to perform a variety of sinister actions once it reaches the innocent programs. They can install malware instead of intended updates, flood phones with denial of service attacks or crash apps to inject harmful code.

And unfortunately, at least some of the apps found misusing storage were ones you've likely run at some point. Google's Translate, Voice Typing and Text-to-Speech apps all handled external storage badly, while common third-party apps like Xiaomi Browser and Yandex Translate also fell short. "Various additional applications" also had problems, Check Point said.

Google and other vendors have either fixed or are fixing their apps as we write this. The problem, as you might surmise, is that a security firm can't verify every Android app to make sure it uses external storage properly. And since Android doesn't have native protection for data held in external storage, there's no universal fix at the moment. The best current defense is to avoid downloading strange apps and update trustworthy apps as often as possible.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
364 Shares
Share
Tweet
Share
Save

Popular on Engadget

'Red Dead Redemption 2' photo and story modes come to PS4

'Red Dead Redemption 2' photo and story modes come to PS4

View
TiVo's iPhone app finally streams shows using cellular data

TiVo's iPhone app finally streams shows using cellular data

View
'Fortnite' adds lightsabers following Star Wars event

'Fortnite' adds lightsabers following Star Wars event

View
A 'Snow Crash' TV series is coming to HBO Max

A 'Snow Crash' TV series is coming to HBO Max

View
New Orleans declares state of emergency following cyberattack

New Orleans declares state of emergency following cyberattack

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr