You probably have heard of man-in-the-middle attacks. This is where a hacker can exploit the communications flow from source to intended recipient by diverting traffic to his or her computer and spoofing the recipient’s PC. It is a bit more involved than that, but you get the basic idea. The attacker can control the entire conversation, since the source PC thinks it is talking to the right computer. Then there were man-in-the-browser attacks, where malware takes control over a browser session and accomplishes the same result.
Now Check Point has discovered a new variation, called man-in-the-disk. That awkward syntax really does get across what is going on. It all starts with Android phones that make use of external storage cards. There is a reason why iPhones don’t support this configuration: it can be inherently insecure. Part of the issue is that the external storage can be accessed by any app that is running on the device, and that the Android OS doesn’t provide any built-in safeguards for this data. Android does offer developers guidelines on proper use of this storage resource, but that doesn’t mean that anyone has to follow these guidelines.
So how does this exploit work? Some of the pre-installed and popular apps ignore the Android security guidelines and place sensitive data in the unprotected external storage area. An attacker can manipulate the data so that the next time an app wants to fetch it, it has changed but the app is none the wiser. This is done through a fake app that poses as something innocent, like a flashlight or a game, and instead is used to gain leverage in the external storage area. Think of this as a modern-day buffer overflow situation, which was common back in the first PC days before developers got smarter about including checks to prevent these situations.
The researchers were able to crash legitimate apps and then carry out a code injection to hijack the permissions granted to the attacked application and escalate his own privileges for further mischief.
So who were the lazy, no-good developers that didn’t secure their storage pool? Well, look at the developers of Google Translate and Google Voice Typing apps for starters. Oops. Fortunately, they fixed the problem once the researchers let them know about it. They have found lots of other apps and are working with those developers but didn’t disclose who they were. Clearly, this is another call for better coding practices, and understanding how you validate your inputs and outputs. I am glad Check Point figured this out.
Check Point has published more technical details here.