What Android token theft is and why it matters now
Android token theft is the abuse of hidden authentication tokens stored inside apps, where attackers steal these long-lived keys to access accounts without passwords, login prompts, or obvious alerts, allowing them to read data or send actions as the victim while appearing as normal traffic to security logs. Recent research from Enclave showed that a debug flag called setIsDebugMode(true) was left enabled in several Microsoft 365 Android apps, weakening account token security by skipping checks that should block untrusted apps. This Android app vulnerability affected Word, Excel, PowerPoint, OneNote, Microsoft Loop, and Microsoft 365 Copilot, all of which share tokens for single sign-on. Any malicious app installed on the same device could request those tokens in the background and gain persistent access to email, files, calendars, or documents without the user’s knowledge.
How attackers abuse leaked account tokens
In the Microsoft 365 case, the bug sat in a shared SDK that handled sign-in across multiple Android apps. Because setIsDebugMode(true) was left on, the normal safeguard that restricts token sharing to trusted Microsoft apps was skipped, so any other app on the same phone could ask for and receive the signed-in user’s token. Enclave identified these as FOCI tokens, which are refresh tokens designed for cross-app access and long-term single sign-on. That makes them especially dangerous: they can be refreshed and reused over long periods, and the resulting traffic looks routine in logs. From the user’s side, nothing suspicious appears—no new login screen, no extra permission prompt. A malicious app, including one compromised in a supply chain attack, could silently collect these tokens and forward them to attackers, granting them ongoing access to services tied to the victim’s Microsoft 365 account.
Microsoft’s May 12 patch and why updating is not enough
Microsoft released a Microsoft 365 security patch on May 12 that fixed the Android token flaw across six apps: Word, Excel, PowerPoint, OneNote, Microsoft Loop, and Microsoft 365 Copilot. According to The Hacker News, Microsoft issued four CVEs for these issues: CVE-2026-41100 for Copilot, CVE-2026-41101 for Word, CVE-2026-41102 for PowerPoint, and CVE-2026-42832 covering Microsoft Office, including Word and Excel for Android. Updated builds, such as Word for Android version 16.0.19822.20190, restore proper checks so only trusted Microsoft apps can receive tokens. However, app updates do not automatically invalidate stolen tokens. FOCI refresh tokens outlive a simple app update, so if your device ran an affected version alongside untrusted apps, an attacker could still hold valid tokens. Security teams should revoke refresh tokens where needed and force users to sign in again to fully close any lingering access.
Steps every Android user should take immediately
To reduce your risk from Android token theft, start by updating all Microsoft 365 Android apps through Google Play—specifically Word, Excel, PowerPoint, OneNote, Microsoft Loop, and Microsoft 365 Copilot. If your workplace manages phones with MDM, ask your admin to confirm devices are off builds earlier than the patched Word version 16.0.19822.20190. Next, review installed apps and remove anything you do not recognize or no longer use, especially if it has broad permissions like file or network access. Check your Microsoft 365 account for unusual sign-in activity, new locations, or unexpected device entries. If you suspect exposure, sign out of all sessions where possible and work with IT to revoke refresh tokens. Remember that this type of Android app vulnerability does not rely on stolen passwords, so a password change alone will not stop attackers who already hold valid tokens.
How to spot and avoid compromised or risky apps
Because token vulnerabilities are quieter than traditional breaches, learning to spot risky apps is essential. Be wary of apps that request access they do not obviously need, such as productivity tools asking for wide file access or network permissions without a clear reason. Watch for sudden behavior changes after an update, since a malicious update to a previously trusted app is one realistic supply chain attack path. Prefer apps from reputable developers, keep automatic updates enabled from the official app store, and disable installation from unknown sources. For work accounts, follow your organization’s Android app governance policies and avoid mixing sensitive accounts with unmanaged or experimental apps on the same device. Regularly reviewing app permissions and cleaning up unused software reduces the chance that a local spoofing flaw in one app will turn into a full account takeover across your cloud services.
