AirDroid Exploit Puts 20 Million Users At Risk

A Mobile security team called Zimperium has discovered major security issues in an app called Airdroid, a popular Android app that lets you manage your mobile device wirelessly.

Airdroid Has Security Vulnerabilities

Airdroid is one of the many apps that lets Android users exchange text messages, transfer files and see notifications from their computer as well. According to Google Playstore, Airdroid has around 50 million downloads, and now the app has been found to have vulnerabilities in it which allow attackers to access your information and even execute code on a user’s phone.

Zimperium informed Sand Studio, the developer team behind Airdroid about the discovered vulnerabilities more than six months ago and Sand Stone promised to fix this security issue through patches in their updates.

Zimperium later found out upon checking again that the issues still existed in the latest version of the app.

How the App Makes You Vulnerable

This issue arose due to Airdroid using the same HTTP request to authorize the device and send usage statistics. This allows malicious parties to exploit the app’s built in functionalities and use them against users of the same network.

The key to this encryption is hardcorded into the application, meaning that everyone using the app has the same key. Through this key, attackers on the same network can intercept the authentication request (commonly known as the Man-in-the-middle attack) using the key extracted from any Airdroid APK (application package) and gain access to private account information, such as the email address and password associated with your Airdroid account.

Moreover, attackers using a transparent proxy can also intercept the network request Airdroid sends to check for add-on updates, and inject any APK they want. Airdroid would then notify the user about the add-on update and begin downloading the malicious APK and ask the user to accept the installation afterwards, leaving your device open to malicious applications and even more attacks.

Via PhoneArena

  • I knew that.. that’s why I always suggest my friends … never use such apps. Also before Android 6.0, do check app permissions before downloading apps.. a game never needs access to camera, sms, phone calls etc then why a games asks for so? similarly there are 100s of thousands apps what do tell that these apps will access to your sms, media, camera, mic, bluetooth, wifi, browser and almost every part of your mobile..

    After launching of android 6.. we’ve things little in control, we can disallow apps from accessing your personal data, And I would recommend to not to use any feature for apps what they are not suppose to do.

    That’s why I installed Android 6 onto my nexus 4 :)

      • I don’t know why we are more to drag things to fun.. be grown up brother.

        But remember..! hun pta lag ia ee na.. chay tay rakheen!

        • Who the hell with this News Nothing Special We all Know nothing is safe if u r online

          Mind it or pass it :D

          • always do appreciate if somebody puts his efforts for public awareness. the writer wrote something (perhaps) 90% of people using internet always know. but still such reminders alarm people to don’t put their “personal” pictures. :P (I know you got it.. what personal pictures mean”)

  • close