‘Man-in-the-disk’ attack took advantage of Android data security flaws

Several major mobile app developers including Google, Yandex and Xiaomi left numerous Android apps vulnerable to a so-called “Man-in-the-Disk” intrusion, a potent attack surface for Android apps that can potentially allow silent installation of malicious apps, according to researchers at Israeli cybersecurity firm Check Point.

Researchers were able to compromise files and crash Google Translate, Google Voice-to-Text and Yandex Translate because the apps failed to validate the integrity of data used from Android’s External Storage System.

Google acknowledged and fixed those applications and are in the process of fixing other vulnerable apps, Check Point said.

Google did not respond to a request for comment.

The “Man-in-the-Disk” attack surface allows a hacker to interfere with an Android app’s data stored in External Storage, the operating system’s type of storage typically used to share data between applications — for instance, a messenger using a photo from a camera app.

The intrusion’s name is a play on a man-in-the-middle attack, a general term for when a hacker steps in between communication between users and applications. In this instance, the hacker is positioned in Android’s External Storage to intercept and alter the conversation between apps on a targeted phone.

Another type of storage, Internal Storage, is used separately by each app and is effectively quarantined off from other apps by Android Sandbox.

The intrusion occurs when a user downloads an app — e.g. a free flashlight app — with an exploit script and then grants permission to access external storage, a perfectly normal looking request likely to be granted by the user. After that, a hacker can monitor and potentially data moving between apps via External Storage.

When apps use External Storage, they’re supposed to follow Android guidelines and take extra security precautions. That doesn’t always happen, however, as evidenced by several official Google apps failing to follow directions like performing input validation for data from External Storage.

“Through our research analysis we have witnessed cases where an app was downloaded, updated or received data from the app provider’s server, which passed through the External Storage before being sent on to the app itself – as seen in the diagram on the left,” Check Point’s researchers wrote. “Such practice offers an opportunity for an adversary to manipulate the data held in External Storage before the app reads it again.”

That adversary can use the attack surface to perform denial of service against apps, cause targeted apps to crash or perform code injects.

Xiaomi is a Chinese tech firm that owns about ten percent of the mobile market in that country. Check Point researchers said Xiaomi browser, the default browser on that company’s line of smartphones, fails to follow Android security guidelines for using External Storage. Therefore, the app allows a hacker to tamper with the app’s update code so that an undesired application is installed.

Xiaomi initially declined to fix the issue.

“Upon discovery of these application vulnerabilities, we contacted Google, Xiaomi and vendors of other vulnerable applications to update them and request their response,” the researchers said. “A fix to the applications of Google was released shortly after, additional vulnerable applications are being updated and will be disclosed once the patch is made available to their users, while Xiaomi chose not to address it at this time.”

A day after articles about the issue began appearing in the press, Xiaomi reached out to say they were working on a fix to be released by the end of August. A spokesperson even apologized for the issue and delay.

It’s clear from the research that Check Point found numerous other apps impacted, several of which are in the process of addressing the vulnerability. However, researchers stressed they only looked at a small number of major apps and therefore expect the problem is much more widespread than what they explicitly noted.

Instead of leaving it up to individual applications, the researchers argue that the Android operating system itself will have to take action.

“From experience then, it would seem that mere guidelines are not enough for OS vendors to exonerate themselves of all responsibility for what is designed by app developers,” Check Point’s researchers wrote.

“Instead, securing the underlying OS is the only long term solution to protecting against this new attack surface uncovered by our research.”

Update: A day after publication, a Xiaomi spokesperson reached out to CyberScoop to say that “an update for this issue will be released by the end of this month.” Product PR manager Nathan Yu apologized for the issue and said, “we will improve our processes to handle such vulnerabilities in the future.”