Man-in-the-Disk attacks take advantage of Android storage systems

Updated: The novel attack technique relies on Android developers which use lazy storage protocols.
Written by Charlie Osborne, Contributing Writer

A new attack technique called "Man-in-the-Disk" takes advantage of careless storage protocols in third-party applications in order to crash a victim's Android mobile device.

When we consider mobile attack vectors, malware, software vulnerabilities, and phishing campaigns may come to mind.

However, the way in which smartphones and tablets handle storage systems may also prove to be an overlooked area in which attackers could easily target with severe consequences.

External storage is a resource shared across the majority of mobile applications and does not apply to Android sandbox storage protections. In comparison, internal storage is better protected as sandbox restrictions apply.

According to researchers from Check Point, there are "shortcomings" in how Google's Android operating system utilizes external storage resources. When third-party applications and developers are careless in how storage is managed, this may lead to what the team calls "Man-in-the-Disk" attacks.

External storage is formed through either a partition or via an SD card and is shared by all applications. Man-in-the-Disk attacks are focused on the external storage aspect of Android mobile devices.

"Failing to employ security precautions on their own leaves applications vulnerable to the risks of malicious data manipulation," the team says.

Check Point says that some apps will choose external over internal storage due to a lack of capacity available in internal storage, backward compatibility issues, or what the firm calls "mere laziness."

When external storage is preferred, Google suggests that developers make sure input validation is in place, executables are not stored externally, and also says that files should be signed and cryptographically verified prior to dynamic loading.

However, the researchers say that app developers -- and even Google itself -- are not following these guidelines, leaving Android users open to attack.

A number of apps, once downloaded, will update or receive information from the developer's server. Due to preferences for external storage, this data will often pass through external storage before entering the app itself.

This avenue provides an opportunity for threat actors to eavesdrop and manipulate this information before it is passed through to an app. IThis is similar to Man-in-The-Middle (MiTM) attacks which monitor online communications between browsers and servers in order to exfiltrate or tamper with user data.


TechRepublic: The best Samsung Galaxy Note 9 alternatives for under $600

A problem with this attack vector is that apps seeking permission to access external storage is incredibly common and is unlikely to raise any suspicion.

Therefore, should an Android user download an innocent-looking app which is actually laden with malicious code that asks for such permissions, they are likely to accept.

"From that point on, the attacker is able to monitor data transferred between any other app on the user's device and the external storage, and overwrite it with his own data in a timely manner, leading to the unwelcome behavior of the attacked application," the researchers say.

If an Android device is exploited in this manner, this could lead to the covert installation of unwanted apps, denial-of-service, the injection of code which would permit malicious code to run in the privileged context of the compromised application, as well as potential crashes.

The Man-in-the-Disk attack vector can also be used to intercept traffic and information relating to other applications.

See also: 25 Android smartphone models contain severe vulnerabilities off the shelf

Check Point tested a variety of applications for vulnerability to this attack vector. In the cases of Google Translate, Yandex Translate, and Google Voice Typing, developers failed to validate the integrity of data read from external storage, while Xiaomi Browser used external storage for app updates.

When made aware of the findings, Google released a fix to address the problems within its own apps. However, Xiaomi "chose not to address it at this time," according to the researchers.

Other unnamed apps were also found to be vulnerable and vendors were contacted. Once the fixes have been made available to users their names will be disclosed.

CNET: Google 'won't fix' an Android P bug that kills Pixel XL fast charging

The testing ground only included a small number of apps, but the company says that this sample leads it to believe that "many other apps use the external storage resource carelessly, and may, therefore, be susceptible to similar attacks."

"Mere guidelines are not enough for OS vendors to exonerate themselves of all responsibility for what is designed by app developers," Check Point says. "Instead, securing the underlying OS is the only long-term solution to protecting against this new attack surface uncovered by our research."

Update 16.09 BST: A Xiaomi spokesperson told ZDNet:

"At Xiaomi, security is our top priority and we hold ourselves to the highest standards. An update for this issue will be released by the end of this month.
We apologize for this and we will improve our processes to handle such vulnerabilities in the future."

ZDNet has reached out to Google and will update if we hear back.

Nanowires, silver, and AI: The future of our smartphones (in pictures)

Previous and related coverage

Editorial standards