The popular application for the exchange of files and data to and from Android devices implements a coarse exploitable vulnerability when using non-secure networks.
Over the past six months, one of the most famous app for remote content sharing on Android is available on Google Play Store, put your data at risk of ” tens of millions of Android users. ” To say it was the security company Zimperium, who discovered a vulnerability on AirDroid: This allows the execution of code and attacks designed to extort sensitive data on your smartphone when it is connected to an untrusted network.
AirDroid has been downloaded by tens of millions of users (10 million to 50 million), only on the official app store, and uses a key to easily detectable static encryption when transferring user data or files. The attackers who are on the same network can exploit this weakness to share updates fraudulent or receive sensitive user information, such as the IMEI or IMSI, unique identifiers of the device.
” An attacker who is on the same network as the victim can use this vulnerability to gain full control of a device, ” were the words of Simone Margaritelli, a major contributor to Zimperium. ” If that were not enough, the attacker might be able to track IMEI, IMSI and other sensitive information on your smartphone. Once a fake update installed, the software is started automatically without further verification. ”
The vulnerability was discovered and disclosed to the AirDroid developers last May, and is still present on the latest software version (184.108.40.206) released a few days ago. Although the software you use for most of the HTTPS protocol, some data are exchanged with the less secure HTTP, including update notifications and update the same files. The latter are mandates with DES cryptographic protection, the key to which it is not difficult to decipher.
The AirDroid team received the first reports on the vulnerability in May, but has responded to the experts Zimperium only in September promising a fix that in December has not yet arrived. The lack of diligence in the fix release may be justified by the fact that the exploit is blocked by the sandbox system Android and is the owner of the device to accept incoming requests. According to Zimperium, the case is not to be underestimated.
AirDroid has a number of particularly deep permits, such as the ability to make in-app purchases, access to contacts, to the device’s location, text messages, photos, camera, microphone, to the Wi-Fi data, the call and the identity of the device. Disguised as a update, the package can still be accepted with full user permissions not realized that it is led to believe that it is a legitimate update.
The risk can be partly canceled using a VPN, but at the moment it is recommended that you use only when connected to AirDroid secure and reliable networks waiting for a patch that changes the approach used by the application.