720-891-1663
That qualifies as a large number.
The bug affects many apps because it is actually a feature of the Android OS – one that can be abused and misused.
The feature is a built in method for apps to talk to one another called Intents. The problem is that many developers are not using secure software development practices and that allows a malicious app to takeover a target app.
The abuse can lead to unauthorized code execution, data theft or other malicious outcomes.
Microsoft discovered the exploit and reported it to Google. They say that they identified a few apps that were vulnerable and those apps had more than 4 billion downloads.
They do NOT think that 4 billion is actually the total population of vulnerable installs. If anything, it is the lower end of the count.
Just two apps that were vulnerable to the attack, named DIRTY STREAMS, are Xiaomi’s File Manager, which has been downloaded over a billion times and WPS Office, which has over 500 million downloads.
But Microsoft says that “we anticipate that the vulnerability pattern could be found in other applications”.
Basically, the vulnerability is a fairly standard one, where the developer is doing insufficient validation of inputs that it is responding to, in this case, not from the user but from another app.
Microsoft says that both companies were “responsive” to their report and fixed the vulnerabilities. I had one of these apps installed on my phone and I chose to uninstall it.
The bigger problem is that there are millions of apps on the Play Store and many of them (how many is unknown) are vulnerable.
But this is NOT A BUG, so Google can’t fix it. What is required is for developers to implement secure software development practices.
Google did update their security guidance documentation, but there is nothing that they can do to make sure that developers actually follow best practices.
As a business, you need to make sure that your developers are properly trained. If you are a user, all you can do is (a) delete unneeded apps, (b) make sure that you are updating apps whenever available and (c) do not install apps from untrusted app stores.
If you need help, please contact us.
Credit: Bleeping Computer