Microsoft has discovered a new attack called “Dirty Stream”, which exploits flaws in Android’s content provider system.
This system is designed to manage access to shared data between different apps while ensuring security, according to Bleeping Computer.
However, improper implementation of custom intents can bypass these security measures. Dirty Stream allows malicious apps to manipulate file paths sent to other apps via custom intents, tricking them into executing or storing files in critical directories. This attack can lead to unauthorised code execution and data theft.
Microsoft researcher Dimitrios Valsamaras highlighted that many apps have incorrect implementations, affecting over four billion installations and creating a significant vulnerability.
Among the apps vulnerable to Dirty Stream attacks are Xiaomi’s File Manager (over a billion installations) and WPS Office (around 500 million installs). Both companies collaborated with Microsoft to address the issue.
Google also updated its app security guidance to address common implementation errors. For users, the best defence is to keep apps updated and avoid downloading from unofficial sources.