'Dirty Stream' Floods Android With Malware

John Lister's picture

A new form of Android malware can hijack legitimate apps. "Dirty Stream" take advantage of a legitimate function designed to make life easier for users.

The function is called ContentProvider and allows one mobile app to access data from, or communicate with, another app. It makes it possible to, for example, open a PDF attachment from a messaging app in a dedicated PDF reader app.

The people behind the DirtyStream malware found a vulnerability in the way ContentProvider worked. This made it possible not only to force another app to open a compromised file, but to then use the contents to overwrite legitimate files in the targeted app.

Microsoft highlighted the threat and said the affected apps added up to four billion installations. High profile targets included a file manager app that's the default on Xiamo-brand phones, and WPS Office, which can open files in multiple document formats. Both of these apps are completely legitimate. (Source: lifehacker.com)

Developers Tipped Off

Before going public, Microsoft informed the developers of some of the most notable affected apps to give them a chance to fix the vulnerability. Both the file manager app and WPS Office were able to issue software updates before Microsoft's announcement potentially tipped off hackers to the problem.

It seems a serious enough issue that usual rivalries have been set aside. Microsoft worked with Google to publish guidance for Android developers. (Source: microsoft.com)

Broadly speaking, the developers affected apps had made two errors. The first was for the receiving app not to properly check the content of files before opening them to make sure it was as expected.

The second was letting the app which sent the file select its name, with the receiving app then caching the file using this name. That's what let it potentially overwrite genuine files to complete the "hijacking."

Security Basics

Unfortunately, this isn't a case where there's an easy solution for users. Uninstalling affected apps may be overkill as they are legitimate.

Instead it's a reminder of standard Android security good practice such as sticking to the official Play Store, reading reviews carefully and skeptically, and sticking to well-known and trusted developers. It's also worth remembering that although its legitimate apps that were hijacked, affected users had also installed the malicious apps that did the hijacking in the first place.

What's Your Opinion?

Have you spotted any suspicious activity in a seemingly legitimate Android app? Have developers of such apps warned you of any risks? How do you try to manage security risk when using Android?

Rate this article: 
Average: 5 (4 votes)


Focused100's picture

I thought most phones especially android has a sandbox feature to prevent bad apps from doing this.