The AirDroid app for Android has surpassed 20 million downloads from the Google Play store and has received raving reviews from the likes of USA Today and Lifehacker. The app’s function is to help a user organize his or her life by providing the remote ability to send text messages, edit files, manage other apps, and even perform GPS tracking.
Unfortunately, for all its accolades, AirDroid is vulnerable to a pretty serious authentication bug.
This bug allows a remote attacker to essentially take over an otherwise unsuspecting victim’s phone. All an attacker needs to do is to send a malicious link; all a victim needs to do is click on it.
The attack can be carried out silently, meaning that it works even when the app isn’t operating. Just having it installed on a device is enough.
Once an attacker gains access to a victim’s phone, the possibilities are plentiful. An attacker can:
• Take photos of the victim via the phone’s camera.
• Track the victim via GPS.
• Harass the victim’s friends and family via contacts.
Basically, anything that AirDroid can access becomes fair game for an attacker.
How This Works
This proof-of-concept video shows the AirDroid exploit in action.
The following is a play-by-play description:
1.) The attacker sends the victim an innocent-seeming link.
2.) The victim takes the bait and clicks the link.
3.) Click! The attacker – specifically, his or her website – now has control of the victim’s phone.
4.) The webpage opens, sending a text message to the victim and taking a photo of him or her as well.
5.) The photo is sent to the attacker, who then uses it to taunt the victim.
For a more technical explanation, check out our official advisory write-up.
Don’t Panic!
You don’t have to be a victim to this sort of exploit, though. There is a solution: We disclosed the bug to AirDroid’s team, and they were more than happy to work with us. They have released a fix in their web interface's most recent version. We have tested this, and have found it more than adequate.
Exercise Caution
The more important lesson here, though, goes far beyond this particular bug. Careful scrutiny is a must when allowing mobile applications extensive permissions. Therefore, exercise caution when permitting an app pervasive access to your phone. It’s easy to be desensitized to lengthy permission lists, as so many apps come with overbearing requests for access. Most people are fast to ignore these lists and accept all requests for the sake of convenience.
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.
Recommended Posts
You might be interested in these related posts.
Dec 12, 2024
Our Favorite Pen Testing Tools: 2024 Edition
Oct 15, 2024
Off the Fox Den Bookshelf: Security and Tech Books We Love
Sep 17, 2024
Navigating DORA Compliance: A Comprehensive Approach to Threat-Led Penetration Testing
Aug 28, 2024
Offensive Security Under the EU Digital Operational Resilience Act (DORA)