Researcher uses external Android storage to install malicious app
Researcher Slava Makkaveev has shown an attack on Android smartphones at the Def Con security conference. It uses Android’s external storage to penetrate the sandbox of apps and install a malicious app, for example.
Makkaveev, associated with security firm Check Point, explained during his presentation that by external storage he means a partition within the internal storage of Android phones, which is shared by all apps on the device. While the Android guidelines state that app developers should use this storage with appropriate security measures, he found that a number of major developers are not adhering to these recommendations, including Google, LG, and Xiaomi. According to him, this makes it possible to penetrate the sandbox of vulnerable Android apps. Its attack requires that a “harmless” app already exists on the device with permissions to write to the external storage.
For example, one of the recommendations for Android developers is that they should apply input validation when using data stored on the external storage. He showed that this does not happen with Google Translate, for example, which places packages for offline translation on the external storage. Replacing these files allowed him to crash the Translate app when it attempts to perform a translation. That, in turn, would pave the way to injecting code that runs within the vulnerable app.
Another recommendation is that developers do not place executable files on the external storage. In the case of LG’s Application Manager and the Xiaomi Browser, for example, it did. That way, it was possible for Makkaveev to modify a downloaded update file, so that a malicious app was secretly installed on the phone instead of the update. The researcher calls his attack man-in-the-disk and has developed a fuzzer to detect these kinds of vulnerabilities. Check Point published a blog post after the presentation.
Attack via Xiaomi browser with malicious app installed in the background