An attack typically works by convincing the user to download a seemingly innocuous app that monitors the external storage use of legitimate software. When the legit apps check for updates, their hostile counterparts modify externally-stored content to perform a variety of sinister actions once it reaches the innocent programs. They can install malware instead of intended updates, flood phones with denial of service attacks or crash apps to inject harmful code.

And unfortunately, at least some of the apps found misusing storage were ones you've likely run at some point. Google's Translate, Voice Typing and Text-to-Speech apps all handled external storage badly, while common third-party apps like Xiaomi Browser and Yandex Translate also fell short. "Various additional applications" also had problems, Check Point said.

Google and other vendors have either fixed or are fixing their apps as we write this. The problem, as you might surmise, is that a security firm can't verify every Android app to make sure it uses external storage properly. And since Android doesn't have native protection for data held in external storage, there's no universal fix at the moment. The best current defense is to avoid downloading strange apps and update trustworthy apps as often as possible.