Tens of millions of users of AirDroid, a remote management tool for Android, are vulnerable to man-in-the-middle attacks that could lead to data theft and their devices being compromised through malicious updates.
According to Zimperium researchers, such attacks can be performed when users find themselves on the same unsecured network as the attacker (e.g. an insecure public Wi-Fi network).
“AirDroid relies on secure HTTPS API endpoints for most of its functionalities, but during our analysis we’ve found that other insecure channels are used for specific tasks,” the researchers noted.
For example, the apps sends statistics to the app developers’ servers over HTTP, but uses a minimal layer of security to protect the data: a symmetric encryption scheme called DES.
“A malicious party could perform a MITM network attack and grab the device authentication information (…) from the very first HTTP request the application performs,” they explained.
“This HTTP request can be decrypted at runtime using the 890jklms key hardcoded inside the application and the authentication fields parsed from the resulting JSON. Having this information, the attacker can now impersonate the victim’s device and perform various HTTP or HTTPS requests on its behalf to the AirDroid API endpoints.”
In addition to this, the attackers could also redirect and modify the HTTP traffic sent and received by the device when it checks for updates, and plant a malicious update for it to use. The app does not verify if the served update is legitimate.
Zimperium notified the app’s developers of these vulnerabilities, but even though they acknowledged the results, never versions of the app are still vulnerable.
This failure to secure the app has prompted the researchers to share the knowledge publicly, and they have also provided PoC modules to demonstrate the information leak and remote code execution flaws.
Here is a video demo of the exploitation:
The researchers advise users to uninstall or disable AirDroid until a fix for these issues is made available.