New Android security flaw lets hackers seize control of apps — how to stay safe

Android logo on phone next to Malware sign
(Image credit: Getty Images)

Editor’s Note: We have updated this article to highlight the fact that the vulnerable apps in question have since been patched by their respective developers. Also, we’ve changed the headline to address that the apps themselves are not malicious and don’t need to be deleted. We’ll update this story as we learn more.

Microsoft is sounding the alarm about a recently discovered critical security vulnerability on Android named "Dirty Stream" that can let malicious apps easily hijack legitimate apps. Worse still, this flaw impacts multiple apps with hundreds of millions of installs. If you have one of the best Android phones, here's what you need to know to protect your data. 

The vulnerability relates to the ContentProvider system prevalent across many popular Android apps, which manages access to structured data sets meant to be shared between different applications. It's basically what lets your Android apps talk to one another and share files. To protect users and ward off unauthorized access, the system includes safeguards such as strict isolation of data, unique permissions attached to specific URIs (Uniform Resource Identifiers), and path validation security. 

According to Microsoft's alert, two vulnerable apps that have since been patched  include Xiaomi Inc.’s File Manager (1B+ installs) and WPS Office (500M+ installs). 

What makes the Dirty Stream vulnerability so devious is how it manipulates this system. Microsoft has found that hackers can create "custom intents," messaging objects that facilitate communication between components across Android apps, to bypass these security measures. By exploiting this loophole, malicious apps can send a file with a manipulated filename or path to another app using a custom intent, sneaking in harmful code disguised as legitimate files. 

From there, a hacker could trick a vulnerable app into overwriting critical files within its private storage space — and the results can be devastating. As BleepingComputer put it, Dirty Stream essentially turns a common OS-level function into a weaponized tool to execute unauthorized code, steal data, and even hijack an app while the user is none the wiser. 

"Arbitrary code execution can provide a threat actor with full control over an application’s behavior," Microsoft said in a security bulletin this week. "Meanwhile, token theft can provide a threat actor with access to the user’s accounts and sensitive data."

How widespread is this threat?

Microsoft’s investigation found that this vulnerability is not an isolated issue. The company uncovered incorrect implementations of the content provider system across many popular Android apps. 

"We identified several vulnerable applications in the Google Play Store that represented over four billion installations," Microsoft explained. "We anticipate that the vulnerability pattern could be found in other applications."

Given the nature of how this vulnerability works, it's hard to know exactly how many other legitimate apps may have been impacted. But it's safe to assume this potential risk is on an industrial scale until all apps are patched. 

How to stay safe from Android malware

A hand holding a phone securely logging in

(Image credit: Google)

When it comes to staying safe from Android malware, one of the easiest and simplest things you can do is to limit the number of apps on your phone. I know this may sound silly but think of it this way, the fewer apps you have, the less likely that one of them may turn out to be malicious. Before installing any new app, first ask yourself whether or not you actually need it.

From here, you want to make sure that you’re installing new security updates and patches as soon as they become available. These often fix vulnerabilities and zero-day flaws which can be used to launch attacks by hackers. While you can use an old phone for longer than you’d expect, it’s worth upgrading to a new device once your current phone isn’t receiving security updates any more, especially if you want to be on the safe side.

You also want to make sure that Google Play Protect is enabled on your device. This pre-installed app scans both your existing apps and any new ones you download for malware. Likewise, if you want extra protection and potentially even some extra features like a VPN or password manager, you also want to check out the best Android antivirus apps.

As ‘Dirty Stream’ is a very serious flaw, it’s likely that Google is already working on a fix as Microsoft would have shared any of the info it uncovered with the search giant before publishing its alert.

More from Tom's Guide

TOPICS
Alyse Stanley
News Editor

Alyse Stanley is a news editor at Tom’s Guide overseeing weekend coverage and writing about the latest in tech, gaming and entertainment. Prior to joining Tom’s Guide, Alyse worked as an editor for the Washington Post’s sunsetted video game section, Launcher. She previously led Gizmodo’s weekend news desk, where she covered breaking tech news — everything from the latest spec rumors and gadget launches to social media policy and cybersecurity threats.  She has also written game reviews and features as a freelance reporter for outlets like Polygon, Unwinnable, and Rock, Paper, Shotgun. She’s a big fan of horror movies, cartoons, and miniature painting.

With contributions from
  • CaptainBrowncoat
    "How to stay safe from Android malware:" don't sideload - but, hey, this malware came from the Play Store, so we're just giving insipid "advice" that doesn't work to do what we promise, anyway!

    I swear - do you guys really expect to be taken seriously when you contradict yourselves like this? Ridiculous.
    Reply
  • Anne Michelle
    This burns me up. Total click bait! Where are the apps to uninstall as part of title of this article? WHERE AND WHICH APPS? 🤬
    Reply
  • Suburbazine
    I just want to know which highly misguided individual thought up the line about Google Play Protect scanning your device for malware. It literally can't, it's just a GUID scanner to match apps with their app store versions. Not on the app store? Oh no it's horrible malware.

    App store apps go through no processes to vet them for malicious behavior, as seen by repeatedly infected apps getting Gplay's seal of approval. A side loaded app is less likely to be malicious as at least the user knows where it came from.
    Reply
  • Mark Spoonauer
    CaptainBrowncoat said:
    "How to stay safe from Android malware:" don't sideload - but, hey, this malware came from the Play Store, so we're just giving insipid "advice" that doesn't work to do what we promise, anyway!

    I swear - do you guys really expect to be taken seriously when you contradict yourselves like this? Ridiculous.
    Thanks for your comment. We have adjusted the article to remove the advice about sideloading. It doesn't apply in this case.
    Reply
  • Mark Spoonauer
    Anne Michelle said:
    This burns me up. Total click bait! Where are the apps to uninstall as part of title of this article? WHERE AND WHICH APPS? 🤬
    Hi we did mention two of the apps compromised but have highlighted them further.
    Reply
  • LegendsOfBatman
    Mark Spoonauer said:
    Thanks for your comment. We have adjusted the article to remove the advice about sideloading. It doesn't apply in this case.
    Is this why that's still there?
    I know every Internet company wants to be "the first" to report; but, in doing so, they don't just make mistakes, without proof-reading, but, they no longer fact check, and ensure proper grammar is used, along with incorrect spellings, relying fully on spell-check.
    Which reminds me of the old spell check joke:
    Eye no this is spelled core wreck lee, four my com pewter tolled me sew.
    Regardless, get so sick of companies bypassing all the rules of proper journalism.
    Reply