Android is a good operating system whose developers truly care about security, but with so many OS versions and applications, keeping an eye on all of them is a tall order. Therefore, new ways to circumvent the built-in security mechanisms surface fairly often. The latest way to hack Android is called “Man-in-the-Disk,” and that is what we are going to talk about.
How the Man-in-the-Disk attack works
Apart from the sandbox areas that house application files, Android has a shared external storage, appropriately named “External Storage.” An application must ask the user for permission to access the storage: “Access photos, media and files on your device” (that is effectively two permissions – READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE). These privileges are not normally considered dangerous, and nearly every application asks for them, so there is nothing suspicious about the request.
Applications use external storage for lots of useful things, such as to exchange files or transfer files between a smartphone and a computer. However, external storage is also often used for temporarily storing data downloaded from the Internet: First, the data is written to the shared part of the disk, and only then transferred to an isolated area that only that particular application can access.
For example, an application may temporarily use the area to store supplementary modules that it installs to expand its functionality, additional content such as dictionaries, or updates. The problem is that any application with read/write access to the external storage can gain access to the files and modify them, adding something malicious.
In a real-life scenario, you may install a seemingly harmless application, such as a game, that may nevertheless infect your smartphone with something truly nasty.
The creators of Android actually realize that use of the external storage may be dangerous, and the Android developer site even features a few helpful tips for app programmers.
The problem is that not all app developers, not even Google employees or certain smartphone manufacturers, follow the advice. Examples presented by Slava Makkaveev include exploitation of the vulnerability in Google Translate, Yandex.Translate, Google Voice Typing, and Google Text-to-Speech, as well as system applications by LG and the Xiaomi browser.