Vulnerability in AirDroid Impacts Over 50 Million Android Devices

  • 400
  •  
  •  
  •  
  •  
  •  
  •  
  •  
    400
    Shares

Android  remote management tool AirDroid  has Vulnerability that can potentially impact over 50 million devices  as warned by the security researchers at Zimperium zLabs.

AirDroid has between 10 million and 50 million downloads from the official Google Play software portal, and also the security firm says that its device base is larger than that. According to Zimperium, vulnerabilities in AirDroid allows an attacker to exploit the built-in features and use them against the app users.

The main issue that the security researchers pointed is that AirDroid uses insecure communication channels. This means that the app’s millions of users are exposed to a MitM attack and other kinds of attacks.There is also a high risk of information leak along with remote hijacking of update APKs which could result in remote code execution.

While analysing AirDroid, the security researchers discovered that the communication channels employed to send authentication data to the statistics server are insecure. While the requests are encrypted with the Data Encryption Standard (DES) symmetric-key block cipher in Electronic Codebook (ECB) mode, the encryption key is hardcoded inside the application, meaning that the attacker knows it.

Armed with these details, an actor on the same network with the target device could execute MitM attacks to grab authentication credentials from the very first HTTP request the application performs, and can then impersonate the user for further requests, Zimperium’s Simone Margaritelli explains.

“This HTTP request can be decrypted at runtime using the 890jklms key hardcoded inside the application and the authentication fields parsed from the resulting JSON. Having this information, the attacker can now impersonate the victim’s device and perform various HTTP or HTTPS requests on its behalf to the AirDroid API endpoints,” the researcher notes.

An attacker could craft a payload encrypted in DES with the same exact key to trick the server into spewing user information, which will result in the email and password hash being exposed.

 

The following two tabs change content below.

William Fieldhouse

I currently work full time as a penetration tester and have been involved within the IT security industry for over a decade. I also love to pioneer any forms of new technology and ideologies for future advancements. Feel free to contact me at [email protected]

William Fieldhouse

I currently work full time as a penetration tester and have been involved within the IT security industry for over a decade. I also love to pioneer any forms of new technology and ideologies for future advancements. Feel free to contact me at [email protected]

Leave a Reply