Critical Security Vulnerabilities Discovered in Popular Android Apps by Microsoft Researchers

Billions of Android Installations at Risk of Compromise Due to Security Weakness

Researchers from Microsoft have uncovered a major security flaw in several Android applications, putting billions of installations at risk of compromise. The vulnerability allows for remote-code execution attacks, token theft, and other issues due to a common security weakness.

The affected apps include popular ones with over 500 million installations each, such as Xiaomi Inc.’s File Manager and WPS Office. Microsoft alerted Google’s Android security research team about the problem, leading Google to release new guidance for Android app developers on how to recognize and address the issue.

According to Microsoft, the flaw stems from Android apps sharing files with other applications using a feature called “content provider.” This feature acts as an interface for managing and exposing an app’s data to other installed applications, but it lacks proper content validation procedures. This oversight allows attackers to send files with malicious filenames to receiving apps, potentially leading to unauthorized access and compromise.

Microsoft has urged app vendors to review their products for similar vulnerabilities and take necessary steps to fix them. Both Microsoft and Google have provided recommendations for developers to prevent such security risks. In the meantime, users can protect themselves by updating their apps regularly and downloading only from trusted sources.