Android Vulnerabilities: Man-in-the-Disk Attacks Google Voice Assistant

kMaVHVbGhb0/default.jpg

Check Point Research discovers a shortcoming in the design of Android's use of storage resources. Careless use of External Storage by applications may open the door to an attack resulting in any number of undesired outcomes, such as silent installation of unrequested, potentially malicious, apps to the user's phone, denial of service for legitimate apps, and even cause applications to crash, opening the door to possible code injection that would then run in the privileged context of the attacked application.

In the case of Google Voice Assistant, developers failed to validate the integrity of data read from the External Storage. As such, our team was able to compromise certain files required by these apps, resulting in the crash of each of these applications, as seen in video of crashing Google Voice Assistant.

Upon discovery of these application vulnerabilities, we contacted Google, Xiaomi and vendors of other vulnerable applications to update them and request their response. A fix to the applications of Google was released shortly after, additional vulnerable applications are being updated and will be disclosed once the patch is made available to their users, while Xiaomi chose not to address it at this time.

For more details on the Man-in-the-Disk, please visit: https://research.checkpoint.com/andro...

kMaVHVbGhb0/default.jpg
Android Vulnerabilities: Man-in-the-Disk Attacks Google Voice Assistant Android Vulnerabilities: Man-in-the-Disk Attacks Google Voice Assistant Reviewed by Anonymous on August 14, 2018 Rating: 5