Dubbed Man-in-the-Disk, the assault takes payoff of the means Android apps utilize 'External Storage' arrangement to shop app-related data, which if tampered could outcome inwards code injection inwards the privileged context of the targeted application.
It should last noted that apps on the Android operating arrangement tin shop its resources on the device inwards 2 locations—internal storage in addition to external storage.
Google itself offers guidelines to Android application developers urging them to role internal storage, which is an isolated infinite allocated to each application protected using Android's built-in sandbox, to shop their sensitive files or data.
However, researchers constitute that many pop apps—including Google Translate itself, along alongside Yandex Translate, Google Voice Typing, Google Text-to-Speech, Xiaomi Browser—were using unprotected external storage that tin last accessed past times whatever application installed on the same device.
How Android Man-in-the-Disk Attack Works?
Similar to the "man-in-the-middle" attack, the concept of "man-in-the-disk" (MitD) assault involves interception in addition to manipulation of information beingness exchanged betwixt external storage in addition to an application, which if replaced alongside a carefully crafted derivative "would atomic number 82 to harmful results."
"Xiaomi Browser was constitute to last using the External Storage equally a staging resources for application updates," the researchers said inwards a blog post.
"As a result, our squad was able to deport out an assault past times which the application’s update code was replaced, resulting inwards the installation of an alternative, undesired application instead of the legitimate update."
In this way, attackers tin boot the bucket a man-in-the-disk position, from where they tin monitor information transferred betwixt whatever other app on the user's smartphone in addition to the external storage in addition to overwrite it alongside their ain malicious version inwards fellowship to manipulate or crash them.
The assault tin likewise last abused to install but about other malicious app inwards the background without the user's knowledge, which tin eventually last used to escalate privileges in addition to attain access to other parts of the Android device, similar camera, microphone, contact list, in addition to more.
Man-in-the-Disk Attack Video Demonstrations
Check Point researchers likewise managed to compromise files in addition to crash Google Translate, Google Voice-to-Text, in addition to Yandex Translate because those apps likewise failed to validate the integrity of information used from the Android's external storage.Among the apps that Check Point researchers tested for this novel MitD assault were Google Translate, Yandex Translate, Google Voice Typing, LG Application Manager, LG World, Google Text-to-Speech, in addition to Xiaomi Browser.
Google, which itself doesn't follow its safety guidelines, acknowledged in addition to fixed but about affected applications in addition to is inwards the procedure of fixing other vulnerable apps equally well, Check Point said.
Besides Google, the researchers likewise approached the developers of other vulnerable applications equally well, but some, including, Xiaomi declined to ready the issue, according to the researchers.
"Upon regain of these application vulnerabilities, nosotros contacted Google, Xiaomi, in addition to vendors of other vulnerable applications to update them in addition to asking their response," Check Point researchers said.The researchers stressed they exclusively tested a modest number of major applications in addition to thence await the number affects a to a greater extent than pregnant number of Android apps than what they explicitly noted, leaving millions of Android users potentially vulnerable to cyber threats.
"A ready to the applications of Google was released presently after, additional vulnerable applications are beingness updated in addition to volition last disclosed 1 time the acre is made available to their users, piece Xiaomi chose non to address it at this time."
