Many mobile security flaws revolve around obvious avenues like websites or deep, operating system-level exploits. The security team at Check Point, however, has discovered another path: apps that make poor use of external storage like SD cards. While apps would ideally stick to internal storage (which Google sandboxes against outside influence) as much as possible, some apps have relied unnecessarily on unprotected external storage and didn’t bother to validate the data coming from that space. An intruder could take advantage of that poor security policy to manipulate the data and cause havoc — Check Point called it a “man-in-the-disk” attack.
An attack typically works by convincing the user to download a seemingly innocuous app that monitors the external storage use of legitimate software. When the legit apps check for updates, their hostile counterparts modify externally-stored content to perform a variety of sinister actions once it reaches the innocent programs. They can install malware instead of intended updates, flood phones with denial of service attacks or crash apps to inject harmful code.
And unfortunately, at least some of the apps found misusing storage were ones you’ve likely run at some point. Google’s Translate, Voice Typing and Text-to-Speech apps all handled external storage badly, while common third-party apps like Xiaomi Browser and Yandex Translate also fell short. “Various additional applications” also had problems, Check Point said.
Google and other vendors have either fixed or are fixing their apps as we write this. The problem, as you might surmise, is that a security firm can’t verify every Android app to make sure it uses external storage properly. And since Android doesn’t have native protection for data held in external storage, there’s no universal fix at the moment. The best current defense is to avoid downloading strange apps and update trustworthy apps as often as possible.