Senior Security Research, Microsoft
Dirty Stream Attack - Turning Android Share Targets To Attack Vectors
The Android operating system uses intents as its main means of exchanging information between applications. Besides messaging, file exchange is also possible by simply constructing an intent of action ACTION_SEND and using it to forward the desired file as an associated stream to another application. On the other end, the receiving app can define a filter in its manifest to inform the intent resolver to route the forwarded stream to a specific component.
While the sender application can construct an implicit intent and delegate the decision of choosing the target to the user, it is also possible to categorematically define a component of another package and by the time that this is exported, to trigger it by using an explicit intent. The latter eliminates the need for user interaction and can be initiated at any time while the sender application maintains a foreground state.
In this talk, we describe an attack that exploits the case where the receiving application blindly trusts an incoming stream and proceeds with processing it without validation. The concept is similar to a file upload vulnerability of a web application. More specifically, a malicious app uses a specially crafted content provider to bear a payload that it sends to the target application. As the sender controls the content but also the name of the stream, the receiver may overwrite critical files with malicious content in case it doesn’t perform some necessary security checks. Additionally, when certain conditions apply, the receiver may also be forced to copy protected files to a public directory, setting the user’s private data at risk.
During our research, we identified multiple apps susceptible to this type of attack, which are published in Google Playstore and have millions of installations. We immediately acted, informing the vendors about it in order to provide the appropriate fixes.
Dimitrios Valsamaras has participated in many International and local Projects increasing his experience in Mobile, Web, and network penetration testing. Holds a degree in Computer Science, with a major in Cryptography and Security. His prior experience in the IT industry spans from development and systems administration to IT Security services. He has a strong passion for reverse engineering and was a member of one of the first reverse engineering research groups in Greece. During the last five years, Dimitrios has been working with some of the largest companies in the industry, including Microsoft and Google, focusing on Android Ecosystem Security.