Security experts discovered a new Android infection mechanism called the Man-in-the-Disk attack. It takes advantage of a design issue found to be with the operating system itself that takes advantage of the external storage access. Abuse of this possibility can expose sensitive data to the criminal operators.
Android Man-in-the-Disk Attack Allows Apps Exposure
Security analysts detected a design issue in the Android operating system that has lead to a vulnerability. This is made possible via an abusive behaviour in the way storage resources are handled. The analysts note that “careless use” of the external storage access can lead to the man-in-the-middle attacks. Use of such resources does not activate the Sandbox protection which is a known security risk. The Internal storage of the Android operating system integrates the built-in memory where the main application data is stored. the external storage itself is the partition of the Internal Storage or removable storage (microSD card).
The Man-in-the-Disk attack can be made exploited with almost any app that utilizes the WRITE_EXTERNAL_STORAGE permissions. The majority of popular user-installed application use the External Storage as a type of temporary buffer when downloading information from Internet services. Over the years the practice of using of using the external storage for work data cache has become a norm as many devices have a limited internal space storage.
The unique characteristic of the external storage is that any process can monitor it and therefore overwrite files. There are several possible case scenarios that malicious actors can attempt:
- File Operations — Data and cache found on the external storage partition can be accessed, retrieved or modified.
- Behavior Modification — By manipulating certain values of configuration files or temporary settings the hackers can induce unexpected behaviour. This can lead to application crashes and a change of the way applications run.
Upon further investigation of the Man-in-the-Disk issue the analysts used a fuzzing technique in order to test for specific vulnerabilities. A test was done using an adapted tool when running native Android libraries in an emulator setting. This environment allows for demonstration of the problem in several popular applications.
A prime example is the Google Translate app which downloads and holds the language translation packages in the external storage partition. When abusing the Man-in-the-Disk attack potential hackers can generate a rogue binary that can overwrite the original data. This can can crash the application or result in the modifications of the returned results. A similar approach is used by Google Voice Assistance.
Non-Google apps are also affected, an example is the Xiaomi Browser. It is programmed to download a self-updated APK file. This means that the attackers can overwrite the APK files thereby replacing them with rogue code. Two popular tools such as Yandex Translate and Yandex Search have been found vulnerable.
This short analysis shows that many applications can be exploited via the Android Man-in-the-Disk attack. The issue here is that this is a design issue with Android. Apps can fine tune their access to the external storage partition however this will not remove the possibility to exploit the found vulnerability. A classic case that can be exploited is the coordination of a Man-in-the-Disk attack scenario. It can begin by posting a vulnerable app on the Google Play Store (or another repository) from wherein it can acquire external storage permissions access, download a rogue/malicious applications which can overtake the infected host. Complex malware interactions can include privilege escalation and other related actions.
Update: Following the public disclosure of the vulnerabiliites Google has acknowledged that they are working with the software developers in fixing the vulnerable apps. The security researchers that have been involved in the process are also approaching software makers in alerting them of the issues. However some of them have chosen not to address the problems in an urgent security update pushing the release to a later date with a minor version release at a later date.