Microsoft Discovers New Android Security Flaw Affecting Over 4 Billion Downloads

Published by Andrea Miliani on May 7, 2024

Fact-checked by Kate Richards • Fact-checked by Kate Richards

Microsoft warns Android users and developers about a vulnerability pattern found in multiple Android apps in the Google Play Store. The vulnerability potentially affects over 4 billion installations worldwide, as announced in a recent report.

Among the apps affected, Microsoft disclosed two of the largest: WPS Office, with over 500 million installs, and Xiaomi Inc.’s File Manager, with over 1 billion installs. The two companies were informed in February this year and have since fixed the issue.

The report recognizes that many other apps, accounting for more than 500 million installations, could be affected, but none are named specifically.

This security breach termed a “Dirty Stream” attack, has been identified in a content provider component that allows apps to share information. The flaw in the component places apps at risk because malicious actors can take control of the app and access user tokens. As explained by Microsoft experts in the May 1 announcement, the consequences can vary and depend on how the applications implement the component.

Google, in collaboration with Microsoft, exposed this vulnerability and shared a security risk report on the Android Studio platform for developers, providing more information and advice on how to avoid future vulnerabilities and fix current ones.

Microsoft’s announcement acts not only as a warning to the potential billions of people who may be affected but also as an invitation to other big tech companies and app developers to work together in order to provide better app security across the industry. Microsoft’s statement reads that it not only provides guidance to app users and developers but also intends “to illustrate the importance of collaboration to improve security for all.”

Microsoft’s report also provides guidance for Android users, the biggest suggestion being to make sure the latest versions of apps are currently installed.

It also shares practical examples of the issue, using a case study involving Xiaomi Inc.’s File Manager as a reference. It explains how a malicious app could behave in severe scenarios: “Besides having full access to the device’s external storage, the application requests many permissions, including the ability to install other applications.”

All that said, and as Forbes also confirms, there’s nothing users can do other than to stay informed, keep their apps up to date, and follow Microsoft’s recommendations: “Users should only install applications from trusted sources to avoid potentially malicious applications.”