Check Point Research said it has found a design flaw in Android’s Sandbox that allows external storage to be used as an avenue for cyberattacks.

Those attacks could result in outcomes such as silent installation of unrequested, potentially malicious, apps on the user’s phone. They could also be used for denial of service for legitimate apps and could even cause applications to crash, opening the door to potential code injection that could then run in the privileged context of the attacked application.

These “man-in-the-disk” attacks are made possible when users are careless about applications‘ use of shared storage that does not enjoy the Android sandbox protection and fail to employ security precautions on their own, Check Point said. Researcher Slava Makkaveev talked about the findings at the Defcon hacker event in Las Vegas today.

Within the Android operating system, there are two types of storage: internal storage, which each application uses separately and which is segregated by the Android Sandbox, and external storage, often over an SD card or a logical partition within the device’s storage, which is shared by all applications.

External storage is primarily used to share files between applications. For example, in order for a messaging app to send a photo from one person to another, the application needs to have access to the media files held in the external storage.

There are other reasons an app developer might choose to use external storage rather than the sandboxed internal option. Such cases range from a lack of sufficient capacity in the internal storage, backwards compatibility considerations with older devices, not wanting the app to appear to use too much space, to sheer laziness on the developer’s part.

Whatever the reason, when using the external storage, certain precautions are necessary. Google’s Android documentation says that application developers are advised as to how they should use the external storage in their apps. Some of these guidelines include running validation tests, not storing executable files on external storage, and making sure files are signed and cryptographically verified before loading.

“However, we have seen a few examples where Google and other Android vendors do not follow these guidelines,” Check Point said. “And herein lies the man-in-the-disk attack surface, offering an opportunity to attack any app that carelessly holds data in the external storage.”

In such attacks, an app is downloaded, updated, or receives data from a server. It is passed through external storage and then sent to the app itself.

Attackers can enter and meddle with data stored in the external storage. Using an innocent-looking app downloaded by the user, the attacker is able to monitor data transferred between any other app and the external storage and overwrite it with other data.

Upon unwittingly downloading the attacker’s app, the user would be asked to allow the app permission to access the external storage, something which is perfectly normal for apps to request. The attacker’s malicious code would then start monitoring the external storage and all data held there.

In this way, the attacker has a man-in-the-disk presence that looks for ways to intercept traffic and information required by the user’s other existing apps in order to manipulate them or cause them to crash.

The results of the attacks can vary depending on the attacker’s desire and expertise. Check Point demonstrated the ability to install an undesired application in the background, without the user’s permission. This could also crash an app and inject code to hijack permissions granted to the attacked application. It could then escalate privileges and gain access to other parts of the user’s device, such as the camera, microphone, contact list, and so forth.

Among the applications that were tested for this new attack surface were Google Translate, Yandex Translate, Google Voice Typing, LG Application Manager, LG World, Google Text-to-Speech, and Xiaomi Browser.

In the case of Google Translate, Yandex Translate, and Google Voice Typing, developers had ignored a shared guideline, which meant certain files required by the apps could be compromised by an attack, resulting in the crash of the application. LG Application Manager and LG World fell short of heeding another guideline, rendering them vulnerable to an attacker potentially downloading alternative unrequested apps.

Finally, Google Text-to-Speech and Xiaomi Browser allowed for the man-in-the-disk intruder to take root, which resulted in overwriting APK files.

“While it is clear that these design shortcomings leave Android users potentially vulnerable to cyber threats, what is less clear is who is really at fault and where the responsibility lies in fixing them,” Check Point said. “On the one hand, although Android’s developers have created guidelines to app developers on how to ensure their apps are safe, they must also be aware that it is well known for developers to not build their applications with security front of mind. On the other hand, and being aware of this aforesaid knowledge, is there more Android could be doing to protect their operating system and the devices that use it?”