Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

AirDroid: How Much Do Your Apps Know?

Person typing on laptop out of focus cellphone in focus AirDroid: How Much Do Your Apps Know?


The AirDroid app for Android has surpassed 20 million downloads from the Google Play store and has received raving reviews from the likes of USA Today and Lifehacker. The app’s function is to help a user organize his or her life by providing the remote ability to send text messages, edit files, manage other apps, and even perform GPS tracking.

Unfortunately, for all its accolades, AirDroid is vulnerable to a pretty serious authentication bug.

This bug allows a remote attacker to essentially take over an otherwise unsuspecting victim’s phone. All an attacker needs to do is to send a malicious link; all a victim needs to do is click on it.

The attack can be carried out silently, meaning that it works even when the app isn’t operating. Just having it installed on a device is enough.

Once an attacker gains access to a victim’s phone, the possibilities are plentiful. An attacker can:

• Take photos of the victim via the phone’s camera.
• Track the victim via GPS.
• Harass the victim’s friends and family via contacts.

Basically, anything that AirDroid can access becomes fair game for an attacker.

How This Works

This proof-of-concept video shows the AirDroid exploit in action.

The following is a play-by-play description:

1.) The attacker sends the victim an innocent-seeming link.
2.) The victim takes the bait and clicks the link.
3.) Click! The attacker – specifically, his or her website – now has control of the victim’s phone.
4.) The webpage opens, sending a text message to the victim and taking a photo of him or her as well.
5.) The photo is sent to the attacker, who then uses it to taunt the victim.

For a more technical explanation, check out our official advisory write-up.

Don’t Panic!

You don’t have to be a victim to this sort of exploit, though. There is a solution: We disclosed the bug to AirDroid’s team, and they were more than happy to work with us. They have released a fix in their web interface's most recent version. We have tested this, and have found it more than adequate.

Exercise Caution

The more important lesson here, though, goes far beyond this particular bug. Careful scrutiny is a must when allowing mobile applications extensive permissions. Therefore, exercise caution when permitting an app pervasive access to your phone. It’s easy to be desensitized to lengthy permission lists, as so many apps come with overbearing requests for access. Most people are fast to ignore these lists and accept all requests for the sake of convenience.

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.

Default fox headshot blue

About the author, Matt Bryant

Bishop Fox Alumnus

Matt Bryant is a security researcher. He was formerly a consultant at Bishop Fox.

More by Matt

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.