Remote management app exposes millions of Android users to hacking

Remote management app exposes millions of Android users to hacking

Man-in-the-middle attackers could exploit an AirDroid flaw to execute malicious code on devices

Poor implementation of encryption in a popular Android remote management application exposes millions of users to data theft and remote code execution attacks.

According to researchers from mobile security firm Zimperium, the AirDroid screen sharing and remote control application sends authentication information encrypted with a hard-coded key. This information could allow man-in-the-middle attackers to push out malicious AirDroid add-on updates, which would then gain the permissions of the app itself.

AirDroid has access to a device's contacts, location information, text messages, photos, call logs, dialer, camera, microphone and the contents of the SD card. It can also perform in-app purchases, change system settings, disable the screen lock, change network connectivity and much more.

The app, developed by an outfit called Sand Studio, has been in the Google Play store since 2011 and, according to its developers, has more than 20 million downloads.

While AirDroid uses encrypted HTTPS connections for most of its features, some functionality sends data to remote servers over plain HTTP, the Zimperium researchers said in a blog post. The developers attempted to secure this data using the Data Encryption Standard (DES), but the encryption key is static and hard-coded into the application itself, meaning that anyone can retrieve it, the researchers said.

One vulnerable feature involves the collection of statistics, which are sent by the app to a server using DES-encrypted JSON payloads. These payloads include identifiers such as the account_id, androidid, device_id, IMEI, IMSI, logic_key and unique_id.

A hacker in a position to intercept user traffic on a network could sniff AirDroid requests to the statistics-gathering server and use the hard-coded encryption key to decrypt the JSON payload. The account- and device-identifying information inside can then be used to impersonate the device to other servers accessed by the app.

"Having this information, the attacker can now impersonate the victim’s device and perform various HTTP or HTTPS requests on its behalf to the AirDroid API endpoints," the Zimperium researchers said.

For example, a man-in-the-middle attacker could redirect requests to the server used to check for AirDroid plug-in updates and then inject a fake update into the response. The user would be notified that an update is available and would likely install it, giving the malicious code access to AirDroid's permissions.

The Zimperium researchers claim that they notified the AirDroid developers about the problem in May and were informed in September about an upcoming update. New versions of AirDroid, 4.0.0 and 4.0.1, were released in November, but they're still vulnerable, according to Zimperium, so the researchers decided to make the vulnerability public.

An update that will fix this issue is expected to start rolling out within the next two weeks, said Betty Chen, chief marketing officer of Sand Studio, via email. The "boutique" development team needed time to develop the solution and synchronize the code of all its clients for different platforms and servers before starting to deploy the new encryption solution, which is not compatible with previous versions, she said.

There was some miscommunication, as the date the company gave out to Zimperium was for the release of AirDroid 4.0, which makes some related changes, but not the actual fix.

This is not the first time a serious vulnerability has been found in AirDroid. In April 2015, a researcher found that he could take over an Android device with AirDroid installed by simply sending a malicious link to the user via SMS. In February, researchers from Check Point found a way to exploit AirDroid to steal data from devices via maliciously crafted contact cards (vCards).

The Zimperium researchers recommend disabling or uninstalling the app until a fix for the latest issue is made available.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.



The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments