Another day, another new Android malware strain. Microsoft is sounding the alarm about a recently discovered critical security vulnerability on Android named “Dirty Stream” that can let malicious apps easily hijack legitimate apps. Worse still, this flaw impacts multiple apps with hundreds of millions of installs. If you have one of the best Android phones, here’s what you need to know to protect your data. 

The vulnerability relates to the ContentProvider system prevalent across many popular Android apps, which manages access to structured data sets meant to be shared between different applications. It’s basically what lets your Android apps talk to one another and share files. To protect users and ward off unauthorized access, the system includes safeguards such as strict isolation of data, unique permissions attached to specific URIs (Uniform Resource Identifiers), and path validation security. 

According to the Microsoft alert, two vulnerable identified include Xiaomi Inc.’s File Manager (1B+ installs) and WPS Office (500M+ installs). 

What makes the Dirty Stream vulnerability so devious is how it manipulates this system. Microsoft has found that hackers can create “custom intents,” messaging objects that facilitate communication between components across Android apps, to bypass these security measures. By exploiting this loophole, malicious apps can send a file with a manipulated filename or path to another app using a custom intent, sneaking in harmful code disguised as legitimate files. 

From there, a hacker could trick a vulnerable app into overwriting critical files within its private storage space — and the results can be devastating. As BleepingComputer put it, Dirty Stream essentially turns a common OS-level function into a weaponized tool to execute unauthorized code, steal data, and even hijack an app while the user is none the wiser. 

“Arbitrary code execution can provide a threat actor with full control over an application’s behavior,” Microsoft said in a security bulletin this week. “Meanwhile, token theft can provide a threat actor with access to the user’s accounts and sensitive data.”

Update May 6: We have updated this article to highlight the compromised apps, which have since been patched and have changed the headline to address that there doesn’t appear to be the need to delete applications at this time. We will update this report once we learn more. 

How widespread is this threat?

Microsoft’s investigation found that this vulnerability is not an isolated issue. The company uncovered incorrect implementations of the content provider system prevalent across many popular Android apps. 

“We identified several vulnerable applications in the Google Play Store that represented over four billion installations,” Microsoft explained. “We anticipate that the vulnerability pattern could be found in other applications.”

Microsoft gives two examples of popular apps that were susceptible to this risk that have since been patched: Xiaomi Inc.’s File Manager (1B+ installs) and WPS Office (500M+ installs).

Given the nature of how this vulnerability works, it’s hard to know exactly how many other legitimate apps may have been impacted. But it’s safe to assume this potential risk is on an industrial scale until all apps are patched. 

How to stay safe from Android malware

To steer clear of potentially harmful malware infecting your Android device, the first and easiest step is to avoid sideloading apps altogether. While it might seem convenient, and certain apps may require sideloading, the majority of people can find what they need on official app stores like Google Play Store, Samsung Galaxy Store, or Amazon Appstore.

The reason you don’t want to sideload apps is that they don’t go through the same stringent security checks that apps hosted on official stores do. This is why it’s crucial to rely on reputable sources for app downloads to keep your device safe from malware. 

Next, you should ensure Google Play Protect is enabled on your Android smartphone. It comes pre-installed on most phones with the Play Store, and it actively scans both existing and newly downloaded apps for viruses. Likewise, you can also install one of the best Android antivirus apps for additional protection and extra features to help keep you safer online.

More from Tom’s Guide

Following extensive player backlash, Sony has walked back its plans to require PC players of Helldivers 2 to link their Steam accounts with a PlayStation Network (PSN) account. The requirement had previously been scheduled to take effect May 6. Now, it will be optional for PC players of the third-person sci-fi shooter.

“Helldivers fans—we’ve heard your feedback on the Helldivers 2 account linking update,” Sony wrote early Monday morning. “The May 6 update, which would have required Steam and PlayStation Network account linking for new players and for current players beginning May 30, will not be moving forward. We’re still learning what is best for PC players and your feedback has been invaluable. Thanks again for your continued support of Helldivers 2 and we’ll keep you updated on future plans.”

Arrowhead Game Studios CEO and Helldivers Creative Director Johan Pilestedt thanked Sony for changing its stance. “I am impressed by the willpower of the Helldivers 2 community and your ability to collaborate,” Pilestedt wrote Monday morning. “I want to thank our partners and friends at PlayStation for quickly and effectively making the decision to leave PSN linking optional. We together want to set a new standard for what a live game is, and how developers and community can support each other to create the best game experiences.”

This Tweet is currently unavailable. It might be loading or has been removed.

Sony’s decision to switch course comes after Helldivers 2 faced criticism from fans over the PSN account-linking requirement. The game, which was released back in February, did not require PC players to create or link a PSN account upon launch and didn’t clearly warn players that they would have to create one at a later date or later lose their ability to play the game. According to Sony, PSN account-linking wasn’t required at launch due to “technical issues.”

Steam gamers felt blind-sided by the announcement that they would have to sign up for what is primarily an account for PS4 and PS5 console owners despite being PC gamers. Others expressed frustration because PSN accounts aren’t available in every country. This would have meant that gamers in 177 countries—mainly nations in the Middle East, the Caribbean, and Africa—would have no longer been able to play Helldivers 2 without a VPN. Some players cited security concerns with Sony, such as the data breaches it faced in 2011 and 2023, as the reason they don’t want to create or connect a PSN account.

As a reaction to Sony’s sudden PSN requirement, players overwhelmingly review-bombed the game, transforming its positive Steam score into a “Mostly Negative” one. When the negative reviews came flowing in last week, Pilestedt said: “Ouch, right in the review score. Well, I guess it’s warranted. Sorry to everyone for how this transpired.” At time of writing, Helldivers 2 has 400,000 positive player reviews and nearly 360,000 negative player reviews on its Steam page.

Other players objected to the PSN account requirement based on principle. “I was so busy having fun that I forgot about corporate greed for a moment,” wrote one Helldivers 2 player with 162 game hours logged.

The response to Sony killing the PSN account requirement has been met with plenty of positive reactions and player responses that tap into the satirical humor of the game, though not all have been positive. “Democracy prevails,” the Opera GX web browser’s X account said early Monday morning.

<div class="container-xs mt-8 rounded bg-gray-100 p-4 text-center content-visibility-auto contain-intrinsic-size-[auto_none] md:px-32 md:py-8" role="region" aria-label="Newsletter Sign-Up" x-data="window.newsletters()" x-init="initNewsletter({"id":1,"list_id":17768392,"status":"Published","title":"What's New Now","deck":"Your daily dose of the latest tech stories, best new products, and expert advice from the editors of PCMag.","slug":"whats-new-now","courier_list":"Whats New Now","image":{"path":"newsletters/17768392.jpg","metadata":{"attribution":"unknown"}},"preview_link":"https://secure.campaigner.com/csb/Public/show/g6xi-2kqu0e–10iw0e-i5zs6df6","contextual_title":"Get Our Best Stories!","contextual_deck":"Sign up for What’s New Now to get our top stories delivered to your inbox every morning.”,”first_published_at”:”2021-09-30T21:30:40.000000Z”,”published_at”:”2022-08-31T18:35:24.000000Z”,”last_published_at”:”2022-08-31T18:35:20.000000Z”,”created_at”:null,”updated_at”:”2022-08-31T18:35:24.000000Z”})” x-show=”showEmailSignUp()” readability=”30.769230769231″>