Remote management app exposes millions of Android users to hacking

Man-in-the-middle attackers could exploit an AirDroid flaw to execute malicious code on devices

Poor implementation of encryption in a popular Android remote management application exposes millions of users to data theft and remote code execution attacks.

According to researchers from mobile security firm Zimperium, the AirDroid screen sharing and remote control application sends authentication information encrypted with a hard-coded key. This information could allow man-in-the-middle attackers to push out malicious AirDroid add-on updates, which would then gain the permissions of the app itself.

AirDroid has access to a device's contacts, location information, text messages, photos, call logs, dialer, camera, microphone and the contents of the SD card. It can also perform in-app purchases, change system settings, disable the screen lock, change network connectivity and much more.

The app, developed by an outfit called Sand Studio, has been in the Google Play store since 2011 and, according to its developers, has more than 20 million downloads.

While AirDroid uses encrypted HTTPS connections for most of its features, some functionality sends data to remote servers over plain HTTP, the Zimperium researchers said in a blog post. The developers attempted to secure this data using the Data Encryption Standard (DES), but the encryption key is static and hard-coded into the application itself, meaning that anyone can retrieve it, the researchers said.

One vulnerable feature involves the collection of statistics, which are sent by the app to a server using DES-encrypted JSON payloads. These payloads include identifiers such as the account_id, androidid, device_id, IMEI, IMSI, logic_key and unique_id.

A hacker in a position to intercept user traffic on a network could sniff AirDroid requests to the statistics-gathering server and use the hard-coded encryption key to decrypt the JSON payload. The account- and device-identifying information inside can then be used to impersonate the device to other servers accessed by the app.

"Having this information, the attacker can now impersonate the victim’s device and perform various HTTP or HTTPS requests on its behalf to the AirDroid API endpoints," the Zimperium researchers said.

For example, a man-in-the-middle attacker could redirect requests to the server used to check for AirDroid plug-in updates and then inject a fake update into the response. The user would be notified that an update is available and would likely install it, giving the malicious code access to AirDroid's permissions.

The Zimperium researchers claim that they notified the AirDroid developers about the problem in May and were informed in September about an upcoming update. New versions of AirDroid, 4.0.0 and 4.0.1, were released in November, but they're still vulnerable, according to Zimperium, so the researchers decided to make the vulnerability public.

An update that will fix this issue is expected to start rolling out within the next two weeks, said Betty Chen, chief marketing officer of Sand Studio, via email. The "boutique" development team needed time to develop the solution and synchronize the code of all its clients for different platforms and servers before starting to deploy the new encryption solution, which is not compatible with previous versions, she said.

There was some miscommunication, as the date the company gave out to Zimperium was for the release of AirDroid 4.0, which makes some related changes, but not the actual fix.

This is not the first time a serious vulnerability has been found in AirDroid. In April 2015, a researcher found that he could take over an Android device with AirDroid installed by simply sending a malicious link to the user via SMS. In February, researchers from Check Point found a way to exploit AirDroid to steal data from devices via maliciously crafted contact cards (vCards).

The Zimperium researchers recommend disabling or uninstalling the app until a fix for the latest issue is made available.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?