Check Point Research discovers a shortcoming in the design of Android's use of storage resources. Careless use of External Storage by applications may open the door to an attack resulting in any number of undesired outcomes, such as silent installation of unrequested, potentially malicious, apps to the user's phone, denial of service for legitimate apps, and even cause applications to crash, opening the door to possible code injection that would then run in the privileged context of the attacked application.

Xiaomi Browser was found to be using the External Storage as a staging resource for application updates. As a result, the Check Point Research team was able to carry out an attack by which the application's update code was replaced, resulting in the installation of an alternative, undesired application instead of the legitimate update.

Upon discovery of these application vulnerabilities, we contacted Google, Xiaomi and vendors of other vulnerable applications to update them and request their response. A fix to the applications of Google was released shortly after, additional vulnerable applications are being updated and will be disclosed once the patch is made available to their users, while Xiaomi chose not to address it at this time.

For more details on the Man-in-the-Disk, please visit: https://research.checkpoint.com/andro...