Threat Watch

Man-in-the-Disk Attack

The Man-in-the-Disk technique is a new attack that takes advantage of irresponsible storage protocols in third-party apps which can crash a victim’s Android mobile device. Researchers claim that there are “shortcomings” in the way Google’s Android OS utilizes external storage resources. The attack focuses on the external storage aspect of Android-based mobile devices. Due to third-party apps and developers practicing careless behavior with how storage is managed, this allows for the Man-in-the-Disk attack. According to researchers, “some apps will choose external over internal storage due to a lack of capacity available in internal storage, backward compatibility issues.” Whenever external storage is preferred, Google advises developers to ensure that a validation check is in place so that executables are not stored externally. Google also says that “files should be signed and cryptographically verified prior to dynamic loading.” Many app developers are not following these guidelines which leave Android-based users prone to attack. There are a number of apps that, once downloaded, will update or receive data from the developer’s server. This data will frequently pass through external storage first, before entering the app due to the preferences of external storage. Because of this route, attackers can eavesdrop and manipulate information before the app collects the data. A major concern for this attack is that apps seeking permission to gain access to external storage are very common and more than likely will not make the user suspicious. This could also lead to the hidden installation of malicious apps, DoS attacks, interception of traffic and information about other apps and possibly crashing the device. Google has been informed about the attack and has released a patch to address the issue.