Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

50 Million Potentially Impacted by AirDroid Vulnerabilities

Vulnerabilities in the Android remote management tool AirDroid potentially impact over 50 million devices, security researchers at Zimperium zLabs warn.

Vulnerabilities in the Android remote management tool AirDroid potentially impact over 50 million devices, security researchers at Zimperium zLabs warn.

The application has seen between 10 and 50 million downloads through the official Google Play software portal, but the security firm says that its device base is larger than that. According to Zimperium (the security firm that discovered the Stagefright flaw in Android), vulnerabilities in AirDroid allow an attacker to exploit built-in features and use them against the application’s users.

The issue, the security researchers say, is that AirDroid uses insecure communication channels, which means that the application’s millions of users are exposed to Man-in-the-Middle (MitM) attacks and other types of nefarious acts. Information leakage is also possible, along with remote hijacking of update APKs, which could result in remote code execution.

While analyzing AirDroid, the security researchers discovered that the communication channels employed to send authentication data to the statistics server are insecure. While the requests are encrypted with the Data Encryption Standard (DES) symmetric-key block cipher in Electronic Codebook (ECB) mode, the encryption key is hardcoded inside the application, meaning that the attacker knows it.

Armed with these details, an actor on the same network with the target device could execute MitM attacks to grab authentication credentials from the very first HTTP request the application performs, and can then impersonate the user for further requests, Zimperium’s Simone Margaritelli explains.

“This HTTP request can be decrypted at runtime using the 890jklms key hardcoded inside the application and the authentication fields parsed from the resulting JSON. Having this information, the attacker can now impersonate the victim’s device and perform various HTTP or HTTPS requests on its behalf to the AirDroid API endpoints,” the researcher notes.

An attacker could craft a payload encrypted in DES with the same exact key to trick the server into spewing user information, which will result in the email and password hash being exposed.

What’s more, an attacker performing MitM could also redirect HTTP traffic to a malicious transparent proxy, thus being able to modify the response for the /phone/vncupgrade request, which the application normally uses to check for addons updates. Thus, by injecting a fake update, the actor could execute malicious code remotely on the compromised device, because AirDroid notifies the user about an update, downloads the RCE.apk package, and might even prompt the user to install it.

Zimperium notes that most of the AirDroid’s functionalities are carried out using secure HTTPS API endpoints, but insecure channels are used for specific tasks, such as the sending of statistics to a remote server. For security, the app relies on DES encrypted JSON payloads for this type of communication, but the use of a hardcoded key (determined to be 890jklms) nullifies the security measure.

To resolve these issues, researchers say, the application should use only secure communication channels (HTTPS), should verify the remote public key (key pinning) to avoid SSL MitM, should use safe key exchange mechanisms, and should leverage and verify digital signatures for update files.

The company also explains that these issues were discovered in May this year, when the developer was notified. However, although two updates were released this week in the form of AirDroid 4.0.0 and AirDroid 4.0.1, the application continues to be vulnerable, putting tens of millions of users at risk.

To stay protected, Zimperium says, users are advised to uninstall or disable AirDroid until a fix is available. They should also install and maintain an anti-malware solution on their Android devices.

Related: Attackers Exploited Chrome Zero-Day to Deliver Android Trojan

Related: Android Root Exploits Abuse Dirty COW Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.