Vulnerability in AirDroid Impacts Over 50 Million Android Devices

Android  remote management tool AirDroid  has Vulnerability that can potentially impact over 50 million devices  as warned by the security researchers at Zimperium zLabs.

AirDroid has between 10 million and 50 million downloads from the official Google Play software portal, and also the security firm says that its device base is larger than that. According to Zimperium, vulnerabilities in AirDroid allows an attacker to exploit the built-in features and use them against the app users.

The main issue that the security researchers pointed is that AirDroid uses insecure communication channels. This means that the app’s millions of users are exposed to a MitM attack and other kinds of attacks.There is also a high risk of information leak along with remote hijacking of update APKs which could result in remote code execution.

While analysing AirDroid, the security researchers discovered that the communication channels employed to send authentication data to the statistics server are insecure. While the requests are encrypted with the Data Encryption Standard (DES) symmetric-key block cipher in Electronic Codebook (ECB) mode, the encryption key is hardcoded inside the application, meaning that the attacker knows it.

Armed with these details, an actor on the same network with the target device could execute MitM attacks to grab authentication credentials from the very first HTTP request the application performs, and can then impersonate the user for further requests, Zimperium’s Simone Margaritelli explains.

“This HTTP request can be decrypted at runtime using the 890jklms key hardcoded inside the application and the authentication fields parsed from the resulting JSON. Having this information, the attacker can now impersonate the victim’s device and perform various HTTP or HTTPS requests on its behalf to the AirDroid API endpoints,” the researcher notes.

An attacker could craft a payload encrypted in DES with the same exact key to trick the server into spewing user information, which will result in the email and password hash being exposed.

 

Related posts

Glove Stealer Emerges A New Malware Threat For Browsers

ANY.RUN Discovers Tricky Phishing Attack Using Fake CAPTCHA

Kia Dealer Portal Vulnerability Risked Millions of Cars