New threat for the Android mobile devices: the Man-in-the-Disk (MITD) cyber attacks. It has been discovered by Check Point. An aggressor could exploit a flaw in the system’s handling of external storage to inject malicious code

The Android mobile devices could suffer a new kind cyber attacks: “Man-in-the-Disk” (MITD). It has been discovered by Check Point cyber security experts. They exploit a flaw in the system’s handling of external storage to inject malicious code. And worst of all, this weakness is an integral part of Android’s design. The researchers found a number of Apps, including some from major distributors, vulnerable to MITD attacks. They also managed to build their own that took advantage of the exploit. The risks: silent installation of unrequested, potentially malicious apps to the user’s phone, denial of service for legitimate apps, and even cause applications to crash, opening the door to possible code injection. “These Man-in-the-Disk attacks are made possible when applications are careless about their use of External Storage,” the company’s a blog reports “a resource that is shared across all applications and does not enjoy Android’s built-in Sandbox protection”.

The focal point is the External Storage and it’s “dialogue” with the Apps

The MITD cyber attack allows malicious actors to enter and meddle with data stored on the External Storage. Check Point cyber security experts have witnessed “cases where an app was downloaded, updated or received data from the App provider’s server”. They “passed through the External Storage before being sent on to the app itself. Such practice offers an opportunity for an adversary to manipulate the data held in the External Storage before the app reads it again. Meddling with the data occurs using a seemingly innocent application, e.g. a fake flashlight app, within which holds the attacker’s exploit script. The user is persuaded by the attacker to download this innocent looking app, which in turn asks for the user’s permission to access the External Storage. Something – the blog adds – which is perfectly normal for apps to request, and is unlikely to raise suspicion on the user’s behalf”.

The cyber aggressor is able to monitor data transferred between any other app on the user’s device and the External Storage, and overwrite it with his own data

According to Check Point, thanks to this operation the attacker of an Android device “is able to monitor data transferred between any other app on the user’s device and the External Storage. And overwrite it with his own data in a timely manner, leading to the unwelcome behavior of the attacked application. In this way, the attacker has his ‘Man-in-the-Disk’ looking out for ways in which he can intercept traffic and information required by the user’s other existing apps, and offer a carefully crafted derivative of the data that would lead to harmful results”.

The results of the cyber attacks on the mobile platform can vary, depending on the malicious actor’s desire and expertise

The results of the MITD cyber attacks on the mobile platform can vary. It depends on the malicious actor’s desire and expertise. “Our research demonstrated the ability to install an undesired application in the background, without the user’s permission.” the cyber security researchers found “We have also demonstrated the ability to crash the attacked application, causing it a denial of service. Once crashed and with the App’s defenses down, the attacker could then potentially carry out a code injection to hijack the permissions granted to the attacked application and escalate his own privileges. This in order to access other parts of the user’s device. Such as the camera, microphone, contacts list and so forth”.

The complete Check Point research on the MITD cyber attacks