There is a vulnerability in several popular Android applications on the Google Play Store that could be exploited by malicious apps to overwrite files in the vulnerable app’s home directory.
A report from Dimitrios Valsamaras of the Microsoft Threat Intelligence team highlighted the implications of this vulnerability, including arbitrary code execution and token theft.
The vulnerability could lead to unauthorized access to online accounts and other data if successfully exploited.
Two of the vulnerable apps identified were Xiaomi File Manager (com.mi. Android.globalFileexplorer) with over 1 billion installs, and WPS Office (cn.wps.moffice_eng) with over 500 million installs.
While Android has mechanisms in place for secure data sharing between apps, oversights in implementation could allow for bypassing of read/write restrictions within an app’s home directory.
One such pitfall involves a malicious FileProvider class that can enable file sharing between apps and lead to critical files being overwritten.
Both Xiaomi and WPS Office have fixed the issue after responsible disclosure, but Microsoft warns that similar vulnerabilities could exist in other apps.
Google has also provided guidance for developers on handling filenames provided by server applications to prevent such vulnerabilities.
Developers are advised to generate unique filenames or sanitize provided filenames to ensure security.
