For at least the past six months, a popular remote management app available in the official Google Play Store has opened tens of millions of Android users to code-execution and data-theft attacks when they use unsecured networks, researchers said Thursday.
As recently as earlier this week—and possibly even at this moment—the most up-to-date versions of AirDroid have used a static and easily detectable encryption key when transmitting update files and sensitive user data, according to a blog post published by security firm Zimperium. Attackers who are on the same network can exploit the weakness to push fraudulent updates or view potentially sensitive user information, including the international mobile equipment identity and international mobile subscriber identity designations that are unique to each phone. The app has been downloaded 10 million to 50 million times from the official Google Play Store.
“A malicious party on the same network as the victim can leverage this vulnerability to remotely gain full control of their device,” Simone Margaritelli, principal security researcher at Zimperium’s zLabs, told Ars. “Moreover, the attacker will be able to see the user’s sensitive information such as the IMEI, IMSI, and so forth. As soon as the update, or fake update, is installed the software automatically launches the updated [Android app file] without ever verifying who built it.”