Researchers from Checkpoint have identified a new type of vulnerability that puts the Android users at risk. The vulnerability dubbed Man In The Disk can be leveraged by Hackers to crash Applications, DOS and even install malicious applications on any android smartphones.
The risk actually lies on how an Android application utilizes the external storage. This attack vector specifically targets in leveraging the External Storage of Android smartphones since the internal storage is protected with Android Sandbox storage protections.
The attack becomes possible when the android application handles external storage carelessly. Google has fixed certain guidelines for the developers who develop apps which stores the data in External storage. They are listed below.
- Input Validation must be performed
- Executables and class files must not be stored on External Storage
- Files that are stored in External storage must be cryptographically verified before loading.
But Checkpoint researchers claim that even the Orignal Equipment Manufacturer Google who laid these terms has not followed their guidelines in a few applications which put the users of the application in Risk.
In General, Developers prefer to use External storage for many reasons. Most of them are due to Low Internal Storage space or the Developer’s laziness. Not all the applications are vulnerable to this attack but those which handles the External storage are certainly vulnerable.
Man In The Disc – Attack Scenario :
Android Applications which require a large space use external storage. Games like Asphalt, Pubg, Fortnite are one among them. Let’s consider that the attacker targets Pubg for this attack.
In step 1, the attacker installs a seemingly Application which has access to the external storage in the victim’s smartphone.
Now, let’s assume that his Victim is downloading a gaming application like Pubg.
Not the entire application can be downloaded from Play store. After the Pubg application get’s installed, the victim will launch the game and it will begin downloading main resources from it’s server.
Now, let’s assume that the Pubg application which was downloaded from the play store is stored in the External storage.
Under these circumstances, the attacker can use his Seemingly malicious application to meddle with the data of the Pubg application in External storage. Now, the attacker replaces the URL location from where the Pubg application will request it’s resource.
After successfully tampering with the code, the victim will now download the malicious resource injected by the Attacker’s seemingly harmless application which has access to External Storage.
This is how Man In The Device attack takes place. Though Pubg is not vulnerable to this attack, Fort Nite which is similar to Pubg is vulnerable to this attack. A proof of concept video has been released yesterday explaining how Man In The Device attack can be leveraged to hack Android users.
To know more about Man In The Device attacks, check this blog post by Checkpoint Researchers.