Domain, site, application
Android Mail.Ru Email v. 184.108.40.20658
Tested on non rooted Nexus 5x Android 7.1.2,
I found that #90693 was fixed incompletely and additionaly the attack can be improved using self sending activity.
- Create some word readable file in "/data/data/thirdparty/file.txt"
- Create soft link on that file "/data/data/thirdparty/link.txt"
- Send this soft via Intent.EXTRA_STREAM to the Mail.Ru "ru.mail.ui.writemail.MailToMySelfActivity"
- After some delay, for example 1000ms, remove soft link and create new, but which will point at any file from "/data/data/ru.mail.mailapp/*". Pay attention, that MailToMySelfActivity is do sending automatically and you need find for your PoC delay which will fit in time. (Or you can use ru.mail.ui.writemail.SharingActivity)
- The message will be sent. If user will open that message than attachment will be downloaded automatically into the "/sdcard/Android/data/ru.mail.mailapp/...." folder.
- It means that any app will be able to read this attachment data which may contain private file content, for example message database.
I attach PoC source
Video link (accessed only by url): https://youtu.be/tXAadbkhDCM