Remote management app exposes millions of Android users to hacking

Man-in-the-middle attackers could exploit an AirDroid flaw to execute malicious code on devices

Poor implementation of encryption in a popular Android remote management application exposes millions of users to data theft and remote code execution attacks.

According to researchers from mobile security firm Zimperium, the AirDroid screen sharing and remote control application sends authentication information encrypted with a hard-coded key. This information could allow man-in-the-middle attackers to push out malicious AirDroid add-on updates, which would then gain the permissions of the app itself.

AirDroid has access to a device's contacts, location information, text messages, photos, call logs, dialer, camera, microphone and the contents of the SD card. It can also perform in-app purchases, change system settings, disable the screen lock, change network connectivity and much more.

The app, developed by an outfit called Sand Studio, has been in the Google Play store since 2011 and, according to its developers, has more than 20 million downloads.

While AirDroid uses encrypted HTTPS connections for most of its features, some functionality sends data to remote servers over plain HTTP, the Zimperium researchers said in a blog post. The developers attempted to secure this data using the Data Encryption Standard (DES), but the encryption key is static and hard-coded into the application itself, meaning that anyone can retrieve it, the researchers said.

One vulnerable feature involves the collection of statistics, which are sent by the app to a server using DES-encrypted JSON payloads. These payloads include identifiers such as the account_id, androidid, device_id, IMEI, IMSI, logic_key and unique_id.

A hacker in a position to intercept user traffic on a network could sniff AirDroid requests to the statistics-gathering server and use the hard-coded encryption key to decrypt the JSON payload. The account- and device-identifying information inside can then be used to impersonate the device to other servers accessed by the app.

"Having this information, the attacker can now impersonate the victim’s device and perform various HTTP or HTTPS requests on its behalf to the AirDroid API endpoints," the Zimperium researchers said.

For example, a man-in-the-middle attacker could redirect requests to the server used to check for AirDroid plug-in updates and then inject a fake update into the response. The user would be notified that an update is available and would likely install it, giving the malicious code access to AirDroid's permissions.

The Zimperium researchers claim that they notified the AirDroid developers about the problem in May and were informed in September about an upcoming update. New versions of AirDroid, 4.0.0 and 4.0.1, were released in November, but they're still vulnerable, according to Zimperium, so the researchers decided to make the vulnerability public.

An update that will fix this issue is expected to start rolling out within the next two weeks, said Betty Chen, chief marketing officer of Sand Studio, via email. The "boutique" development team needed time to develop the solution and synchronize the code of all its clients for different platforms and servers before starting to deploy the new encryption solution, which is not compatible with previous versions, she said.

There was some miscommunication, as the date the company gave out to Zimperium was for the release of AirDroid 4.0, which makes some related changes, but not the actual fix.

This is not the first time a serious vulnerability has been found in AirDroid. In April 2015, a researcher found that he could take over an Android device with AirDroid installed by simply sending a malicious link to the user via SMS. In February, researchers from Check Point found a way to exploit AirDroid to steal data from devices via maliciously crafted contact cards (vCards).

The Zimperium researchers recommend disabling or uninstalling the app until a fix for the latest issue is made available.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Brand Post

Bitdefender 2019

Shop safely with our award-winning security solution. Protect yourself this Black Friday and get the exclusive Black Friday discount for Bitdefender 2019!

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?