by_adr - Fotolia

Man-in-the-disk attack: How are Android products affected?

Researchers from Check Point announced a new attack at Black Hat 2018 that targets Android devices. Discover how this attack works and how devices should be protected with Nick Lewis.

Check Point researchers at Black Hat 2018 unveiled a man-in-the-disk attack that could enable attackers to take over Android devices. What is a man-in-the-disk attack and how does it work?

Smartphones and standard PCs have very different security models, but they do have similar security controls. One key security control on most mobile OS platforms, such as Android, is the use of sandboxes to limit the attack surface for a vulnerability and to restrict attackers to only the resources accessible in the sandbox. Due to the limits set by the sandboxes, they have become a common target for attacks, as attackers will attempt to find ways to escape the sandboxes and access the underlying systems.

Android devices, for example, have applications that run in Android's sandbox so the devices only have access to the files inside the sandbox; it is the sandbox, not the app, that controls access to the file system, network and other underlying system resources.

Check Point researchers released a blog about an attack that exploits a weakness in Android's sandboxing functionality when an app needs to access storage outside the sandbox. The researchers also found that Google's recommendations for accessing files outside of a sandbox involve a suggestion that certain files should be handled as if they are untrusted. However, not all developers -- including Google -- took precautions in the past to treat files outside of sandboxes as untrusted -- and Check Point found a way to exploit this with a new attack.

Check Point researchers called this a man-in-the-disk attack, an extension of a man-in-the-middle attack. During a man-in-the-disk attack, hackers target a communication channel and use a time-of-check versus time-of-use attack. In this case, a malicious app can replace a legitimate file used by the targeted app outside of the sandbox with a malicious file used by the attacker. When the targeted app opens the malicious file, actions ranging from the app generating an error and closing, executing malicious code on the device, or even installing another malicious app can take place.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Dig Deeper on Threats and vulnerabilities