{"id":11805,"date":"2018-08-27T20:54:24","date_gmt":"2018-08-27T16:54:24","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/man-in-the-disk\/11805\/"},"modified":"2018-08-27T20:54:41","modified_gmt":"2018-08-27T16:54:41","slug":"man-in-the-disk","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/man-in-the-disk\/11805\/","title":{"rendered":"Man-in-the-Disk: A new and dangerous way to hack Android"},"content":{"rendered":"

Android is a good operating system whose developers truly care about security, but with so many OS versions and applications, keeping an eye on all of them is a tall order. Therefore, new ways to circumvent the built-in security mechanisms surface fairly often. The latest way to hack Android is called \u201cMan-in-the-Disk,\u201d and that is what we are going to talk about.<\/p>\n

\"How<\/a><\/p>\n

\u201cSandboxes,\u201d the foundation of Android security<\/h2>\n

A key Android principle is that all applications must be isolated from one another. This is achieved through the use of so-called sandboxes<\/a>. Each application, together with its private files, lives in a \u201csandbox\u201d that other applications cannot access.<\/p>\n

The idea is to keep a malicious application, even if it infiltrates your Android device, from stealing data that other, good applications store, such as the username and password of your online banking app, or your message history. It\u2019s no surprise that hackers are hard at work looking for new ways to circumvent the mechanism, pursuing something called a \u201csandbox escape<\/a>.\u201d They succeed, too, from time to time.<\/p>\n

For example, Slava Makkaveev\u2019s speech at DEF CON 26 focused on how an application with no particularly dangerous or suspicious permissions can escape the sandbox. He dubbed the method \u201cMan-in-the-Disk<\/a>,\u201d after the well-known Man-in-the-Middle<\/a> type of attack.<\/p>\n

How the Man-in-the-Disk attack works<\/h3>\n

Apart from the sandbox areas that house application files, Android has a shared external storage, appropriately named \u201cExternal Storage.\u201d An application must ask the user for permission<\/a> to access the storage: \u201cAccess photos, media and files on your device\u201d (that is effectively two permissions \u2013 READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE). These privileges are not normally considered dangerous, and nearly every application asks for them, so there is nothing suspicious about the request.<\/p>\n

Applications use external storage for lots of useful things, such as to exchange files or transfer files between a smartphone and a computer. However, external storage is also often used for temporarily storing data downloaded from the Internet: First, the data is written to the shared part of the disk, and only then transferred to an isolated area that only that particular application can access.<\/p>\n

For example, an application may temporarily use the area to store supplementary modules that it installs to expand its functionality, additional content such as dictionaries, or updates. The problem is that any application with read\/write access to the external storage can gain access to the files and modify them, adding something malicious.<\/p>\n

In a real-life scenario, you may install a seemingly harmless application, such as a game, that may nevertheless infect your smartphone with something truly nasty.<\/p>\n

The creators of Android actually realize that use of the external storage may be dangerous, and the Android developer site even features a few helpful tips<\/a> for app programmers.<\/p>\n

The problem is that not all app developers, not even Google employees or certain smartphone manufacturers, follow the advice. Examples presented by Slava Makkaveev include exploitation of the vulnerability in Google Translate, Yandex.Translate, Google Voice Typing, and Google Text-to-Speech, as well as system applications by LG and the Xiaomi browser.<\/p>\n

By the way, Google researchers recently discovered<\/a> that the very same Man-in-the-Disk attack can be applied to the Android version of a very popular game, Fortnite. To download the game, users need to install a helper app first, and it is supposed to download the game files. Turns out, using the Man-in-the-Disk attack, someone can trick the helper into installing a malicious application. Fortnite developers \u2013 Epic Games \u2013 are aware of this vulnerability and have already issued a new version of the installer. So if you\u2019re into Fortnite, use version 2.1.0 to stay safe. If you have Fortnite already installed, uninstall and then reinstall it from scratch using the aforementioned version.<\/p>\n

How to protect your Android from the Man-in-the-Disk attack<\/h3>\n

Makkaveev singled out just a few really popular apps to demonstrate how bad things are, but vulnerable apps are likely numerous.<\/p>\n

How can you protect yourself? We have a few tips that are easy to follow:<\/p>\n