To competing against Apple’s AirDrop, AirDroid was surfaced as a remote management solution for Android devices. But instead of giving a breeze, the app has now turned out to put millions of Android devices at high risk.
Mobile security firm Zimperium has reported AirDroid establishes insecure communication channels that make its users vulnerable to man-in-the-middle attacks. The app is available across over 50 million devices through Google Play store.
Researchers at Zimperium zLabs claim that attackers can exploit the key functionalities of AirDroid to gain backdoor access on Android devices. The app accesses key components on Android such as contacts, location information, text messages, call logs and even the contents stored on the SD card that can be used maliciously.
“AirDroid relies on insecure communication channels in order to send the same data used to authenticate the device to their statistics server. Such requests are encrypted with DES (ECB mode). However, the encryption key is hardcoded inside the application itself (thus known to an attacker),” security researcher Simone Margaritelli explains in a blog post.
AirDroid allows the attackers to impersonate the affected hardware and send various HTTP as well as HTTPS requests to its API endpoints. Moreover, a malicious app can be downloaded on the target device through remotely executing custom code.
Vulnerabilities exist even in the latest version
The Zimperium team notified Sand Studio, the developer outfit of AirDroid, about the vulnerabilities in May. But notably, the latest release (version 4.0.1) is even reported to be vulnerable on Android devices.
Users are recommended to uninstall the AirDroid app from their Android devices to make them protected from remote attacks. Alternatively, the app can be disabled from the settings until the release of its fix.