Vulnerabilities in the Android remote management tool AirDroid potentially impact over 50 million devices, security researchers at Zimperium zLabs warn.
The application has seen between 10 and 50 million downloads through the official Google Play software portal, but the security firm says that its device base is larger than that. According to Zimperium (the security firm that discovered the Stagefright flaw in Android), vulnerabilities in AirDroid allow an attacker to exploit built-in features and use them against the application’s users.
The issue, the security researchers say, is that AirDroid uses insecure communication channels, which means that the application’s millions of users are exposed to Man-in-the-Middle (MitM) attacks and other types of nefarious acts. Information leakage is also possible, along with remote hijacking of update APKs, which could result in remote code execution.
While analyzing AirDroid, the security researchers discovered that the communication channels employed to send authentication data to the statistics server are insecure. While the requests are encrypted with the Data Encryption Standard (DES) symmetric-key block cipher in Electronic Codebook (ECB) mode, the encryption key is hardcoded inside the application, meaning that the attacker knows it.
Armed with these details, an actor on the same network with the target device could execute MitM attacks to grab authentication credentials from the very first HTTP request the application performs, and can then impersonate the user for further requests, Zimperium’s Simone Margaritelli explains.
“This HTTP request can be decrypted at runtime using the 890jklms key hardcoded inside the application and the authentication fields parsed from the resulting JSON. Having this information, the attacker can now impersonate the victim’s device and perform various HTTP or HTTPS requests on its behalf to the AirDroid API endpoints,” the researcher notes.
An attacker could craft a payload encrypted in DES with the same exact key to trick the server into spewing user information, which will result in the email and password hash being exposed.
What’s more, an attacker performing MitM could also redirect HTTP traffic to a malicious transparent proxy, thus being able to modify the response for the /phone/vncupgrade request, which the application normally uses to check for addons updates. Thus, by injecting a fake update, the actor could execute malicious code remotely on the compromised device, because AirDroid notifies the user about an update, downloads the RCE.apk package, and might even prompt the user to install it.
Zimperium notes that most of the AirDroid’s functionalities are carried out using secure HTTPS API endpoints, but insecure channels are used for specific tasks, such as the sending of statistics to a remote server. For security, the app relies on DES encrypted JSON payloads for this type of communication, but the use of a hardcoded key (determined to be 890jklms) nullifies the security measure.
To resolve these issues, researchers say, the application should use only secure communication channels (HTTPS), should verify the remote public key (key pinning) to avoid SSL MitM, should use safe key exchange mechanisms, and should leverage and verify digital signatures for update files.
The company also explains that these issues were discovered in May this year, when the developer was notified. However, although two updates were released this week in the form of AirDroid 4.0.0 and AirDroid 4.0.1, the application continues to be vulnerable, putting tens of millions of users at risk.
To stay protected, Zimperium says, users are advised to uninstall or disable AirDroid until a fix is available. They should also install and maintain an anti-malware solution on their Android devices.