Get all your news in one place.
100’s of premium titles.
One app.
Start reading
Tom’s Guide
Tom’s Guide
Technology
Alyse Stanley

New Android security flaw lets hackers seize control of apps — how to stay safe

Android logo on phone next to Malware sign.

Editor’s Note: We have updated this article to highlight the fact that the vulnerable apps in question have since been patched by their respective developers. Also, we’ve changed the headline to address that the apps themselves are not malicious and don’t need to be deleted. We’ll update this story as we learn more.

Microsoft is sounding the alarm about a recently discovered critical security vulnerability on Android named "Dirty Stream" that can let malicious apps easily hijack legitimate apps. Worse still, this flaw impacts multiple apps with hundreds of millions of installs. If you have one of the best Android phones, here's what you need to know to protect your data. 

The vulnerability relates to the ContentProvider system prevalent across many popular Android apps, which manages access to structured data sets meant to be shared between different applications. It's basically what lets your Android apps talk to one another and share files. To protect users and ward off unauthorized access, the system includes safeguards such as strict isolation of data, unique permissions attached to specific URIs (Uniform Resource Identifiers), and path validation security. 

According to Microsoft's alert, two vulnerable apps that have since been patched  include Xiaomi Inc.’s File Manager (1B+ installs) and WPS Office (500M+ installs). 

What makes the Dirty Stream vulnerability so devious is how it manipulates this system. Microsoft has found that hackers can create "custom intents," messaging objects that facilitate communication between components across Android apps, to bypass these security measures. By exploiting this loophole, malicious apps can send a file with a manipulated filename or path to another app using a custom intent, sneaking in harmful code disguised as legitimate files. 

From there, a hacker could trick a vulnerable app into overwriting critical files within its private storage space — and the results can be devastating. As BleepingComputer put it, Dirty Stream essentially turns a common OS-level function into a weaponized tool to execute unauthorized code, steal data, and even hijack an app while the user is none the wiser. 

"Arbitrary code execution can provide a threat actor with full control over an application’s behavior," Microsoft said in a security bulletin this week. "Meanwhile, token theft can provide a threat actor with access to the user’s accounts and sensitive data."

How widespread is this threat?

Microsoft’s investigation found that this vulnerability is not an isolated issue. The company uncovered incorrect implementations of the content provider system across many popular Android apps. 

"We identified several vulnerable applications in the Google Play Store that represented over four billion installations," Microsoft explained. "We anticipate that the vulnerability pattern could be found in other applications."

Given the nature of how this vulnerability works, it's hard to know exactly how many other legitimate apps may have been impacted. But it's safe to assume this potential risk is on an industrial scale until all apps are patched. 

How to stay safe from Android malware

(Image credit: Google)

When it comes to staying safe from Android malware, one of the easiest and simplest things you can do is to limit the number of apps on your phone. I know this may sound silly but think of it this way, the fewer apps you have, the less likely that one of them may turn out to be malicious. Before installing any new app, first ask yourself whether or not you actually need it.

From here, you want to make sure that you’re installing new security updates and patches as soon as they become available. These often fix vulnerabilities and zero-day flaws which can be used to launch attacks by hackers. While you can use an old phone for longer than you’d expect, it’s worth upgrading to a new device once your current phone isn’t receiving security updates any more, especially if you want to be on the safe side.

You also want to make sure that Google Play Protect is enabled on your device. This pre-installed app scans both your existing apps and any new ones you download for malware. Likewise, if you want extra protection and potentially even some extra features like a VPN or password manager, you also want to check out the best Android antivirus apps.

As ‘Dirty Stream’ is a very serious flaw, it’s likely that Google is already working on a fix as Microsoft would have shared any of the info it uncovered with the search giant before publishing its alert.

More from Tom's Guide

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.