AirDroid is a popular remote management tool for Android. It has an estimated user base of over 50 million devices according to the Google Play Store.
AirDroid is one of several services that allows Android users to send and receive text messages, as well as transfer files and see notifications, from their computer. According to the Play Store, AirDroid has somewhere between 10 and 50 million installs (not counting anyone directly installing the APK from the AirDroid website).
Mobile security company Zimperium recently released details of several major security vulnerabilities in AirDroid, allowing attackers on the same network to access user information and even execute code on a user's phone.
AirDroid relies on insecure communication channels in order to send the same data used to authenticate the device to their statistics server. Such requests are encrypted with DES ( ECB mode ) however the encryption key is hardcoded inside the application itself (thus known to an attacker).
Any malicious party on the same network of the target device could execute a man in the middle attack in order to obtain authentication credentials and impersonate the user for further requests.
Impact A malicious party could perform a MITM network attack and grab the device authentication information as shown in the “Details” section from the very first HTTP request the application performs.
This HTTP request can be decrypted at runtime using the 890jklms key hardcoded inside the application and the authentication fields parsed from the resulting JSON.
Having this information, the attacker can now impersonate the victim’s device and perform various HTTP or HTTPS requests on its behalf to the AirDroid API endpoints.
In summary, attackers on the same network as an AirDroid user can intercept user information (including account login and password), as well as send malicious applications to phones with AirDroid disguised as add-on updates. Sand Studio (the developers of AirDroid) had seven months to fix these issues, and they still remain. If you are using AirDroid, you should disable or uninstall it immediately.
COMMENTS