Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Mobile & Wireless

Microsoft Warns of ‘Dirty Stream’ Vulnerability in Popular Android Apps

Microsoft has uncovered a new type of attack called Dirty Stream that impacted Android apps with billions of installations. 

Microsoft is warning Android application users and developers about a recently uncovered attack method that can allow threat actors to take control of apps and obtain sensitive data.

The issue has been named Dirty Stream and described by the tech giant as a vulnerability pattern related to path traversal. The company disclosed the details of Dirty Stream this week, focusing on its impact on the Xiaomi File Manager and WPS Office applications, which collectively have more than 1.5 billion installs from Google Play. 

Microsoft identified several impacted applications, which have a total of four billion installations, but the company believes the vulnerability pattern could be present in other Android apps as well. 

The issue is related to a data and file sharing mechanism on Android, specifically the content provider component and its ‘FileProvider’ class, which enables file sharing between installed applications. Improperly implementing this mechanism can introduce potentially serious vulnerabilities.

Microsoft discovered that malicious applications could leverage the Dirty Stream technique to overwrite files in the targeted application’s home directory, which can lead to arbitrary code execution and token theft. 

Being able to execute arbitrary code enables the attacker to gain full control of the targeted app’s behavior, while token theft can allow the hacker to access user accounts and sensitive data.

Malicious code execution can be achieved by overwriting the application’s code. In addition, the attacker can modify the app’s behavior by, for instance, overwriting preferences and other configuration files. 

The developers of apps affected by Dirty Stream have been notified by Microsoft and they have released patches, but the company is urging all developers to analyze its research and ensure that their products are not impacted.

Advertisement. Scroll to continue reading.

Google has also been notified and it has published an article on the Android Developers website to inform developers about risks associated with the content provider component.

Related: VPN Apps on Google Play Turn Android Devices Into Proxies

Related: Google Announces Enhanced Fraud Protection for Android

Related: Critical Remote Code Execution Vulnerability Patched in Android

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights