If you own an Android device and use external storage, you might want to think twice about it.
Check Point security researcher Slava Makkaveev over the weekend discussed the potential security risks related to storing certain content on external storage plugged into your Android devices.
The researcher, who presented his findings at the Def Con security conference on Sunday, said that storing certain content on external storage devices can expose your phone to malware and ultimately give hackers access to your device without your permission. (However, the best Android antivirus apps should be able to spot and neutralize the malware.)
The researcher, whose findings were earlier reported on by Wired, detailed his findings in a blog post on Check Point's website. He called the attacks Man-in-the-Disk threats and said that when Android apps "are careless about their use of external storage," an area that sits outside the sandbox protection built into Android, hackers could target your device.
While internal storage is protected by the Android Sandbox that safeguards your device, external storage, like a microSD card, isn't, according to Check Point. And although external storage is often used to store photos and files, which typically won't cause any problems, it's when apps need access to external storage when things go awry.
Check Point found that some hackers are using the Man-in-the-Disk attack after you download a "seemingly harmless application." That app then gets access to data stored on your microSD card, like photos or files.
When it calls to the cloud server to update its code, the app could be intercepted, hackers could modify the code, and install malware on your device by using the external storage loophole.
"Our research demonstrated the ability to install an undesired application in the background, without the user’s permission. We have also demonstrated the ability to crash the attacked application, causing it a denial of service," Check Point said.
"Once crashed and with the app’s defenses down, the attacker could then potentially carry out a code injection to hijack the permissions granted to the attacked application and escalate his own privileges in order to access other parts of the user’s device, such as the camera, the microphone, contacts list and so forth."
A variety of apps are at risk of falling victim to the Man-in-the-Disk attach, including Google Translate, the Xiaomi browser, and others, according to the researchers.
What's perhaps most concerning is how difficult it might be to actually protect yourself. Indeed, only apps that follow Google's security guidelines and don't allow for such easy access to external storage will keep you safe. If the developer hasn't ensured security protections, you're out of luck.
And worst of all, you simply won't know you're being targeted. So, if you really want to keep yourself safe, don't use external storage.