For the past six months, popular Android app AirDroid has endangered millions of users. The app is vulnerable to code execution and data theft attacks under certain conditions.
AirDroid is a popular app that lets Android users sync notifications and transfer files between their phone and computer. But in a blog post by security firm Zimperium analyzed the app and found some vulnerabilities within the app. Attackers who are on the same network as an AirDroid user can exploit the app to send the user fake updates or even view sensitive information. This information can include the International Mobile Equipment Identity (IMEI) and International Mobile Subscriber Identity (IMSI) numbers unique to each phone.
The affected app versions include 4.0 and 4.0.1. Although Google scans all apps in the Google Play store for malicious tools, this one apparently slipped through. Simone Margaritelli, a security researcher at Zimperium’s zLabs, said that even though AirDroid uses HTTPS to encrypt most traffic, data for app functions are sent through HTTP.
The app encrypts data sent over HTTP with data encryption standard (DES). But the encryption key (890jklms) is coded directly into the app, where Zimperium quickly found it. If it was so easy for security experts to find it, it’s also easy for malicious hackers as well.
The Zimperium team says they first contacted AirDroid back in May to warn the developers of the vulnerabilities. In September, AirDroid told Zimperium that it fixed the problem in an upcoming release. But when the release went live two weeks ago, Zimperium found that the vulnerabilities still haven’t been fixed.
AirDroid’s chief marketing officer, Betty Chen, emailed Ars Technica to make a statement:
“Due to the complexity of coding for a cross-screen management application like us, we require a complete sync systematic coding across clients and server…we did publish an update late in November but it is only for mobile client (AirDroid 4.0).”
Zimperium says that a malicious hacker could perform a man-in-the-middle (MitM) attack to steal device information. As you can see in the image above, information like IMSEI, IMSI and Account ID are shown.
Using the 890jklms key inside the app’s code, the hacker could decrypt all data requests over HTTP and access the JSON file. Armed with this information, the attacker can now pretend to be the target’s device and perform HTTP and/or HTTPS requests to the AirDroid API.
The AirDroid server then gives up user information like email and password hash. The hacker could then redirect HTTP traffic to a malicious proxy server and can edit the app’s /phone/vncupgrade request. The app uses this to check for add-on updates.
GET /p14/phone/vncupgrade/?q=[DES ENCRYPTED PAYLOAD]&ver=20151 HTTP/1.1 Host: srv3.airdroid.com Connection: close User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
The hacker can inject a fake update that sends the user a malicious APK file, perhaps containing a virus or other malware. The app then tells the user of an available update, download the RCE.apk package and prompt the user to install it.
Although the app uses HTTPS API endpoints for most functions, sometimes it uses insecure channels. For example, it sends statistics to http://stat3.airdroid.com as found in the com.sand.airdroid.configs.urls.ReleaseUrls class. Zimperium made a video:
Even though Android sandboxes apps as a security measure, these vulnerabilities are still threatening. AirDroid has a lot of usage rights, like making in-app purchases, accessing contacts, device location, text messages, photos, camera, microphone, Wi-Fi data, and device ID and call information. This means that a hacker could even change these app permissions or ask for new ones as long as the user clicks the OK button.
For now, you should only use AirDroid on networks that you trust. Once the developers release a patch for this, only download/install it on a secure network. Even if you use a VPN while using an insecure network, the hackers could still bypass it. One way is to give you a captive portal page like the kind you see at hotels or airports. It’s the login page where you have to agree to the terms & conditions before using the public Wi-Fi.