AirDroid, a popular Android app used for remote management, has a number of security vulnerabilities that could allow an attacker to intercept and decrypt secure traffic and even inject a malicious app update to gain remote code execution on a target device.
The main issue with the app is the use of a hard-coded encryption key, which an attacker can discover and then use to impersonate a victim. Researchers at Zimperium found the vulnerabilities, and discovered during the research that an attacker could also use the issues to force an affected device to download a malicious app update. The encryption key problem is the root of the other issues, though.
“AirDroid relies on insecure communication channels in order to send the same data used to authenticate the device to their statistics server. Such requests are encrypted with DES ( ECB mode ) however the encryption key is hardcoded inside the application itself (thus known to an attacker). Any malicious party on the same network of the target device could execute a man in the middle attack in order to obtain authentication credentials and impersonate the user for further requests,” Simone Margaritelli, security researcher at Zimperium, said in a post.
“A malicious party could perform a MITM network attack and grab the device authentication information as shown in the “Details” section from the very first HTTP request the application performs. This HTTP request can be decrypted at runtime using the 890jklms key hardcoded inside the application and the authentication fields parsed from the resulting JSON. Having this information, the attacker can now impersonate the victim’s device and perform various HTTP or HTTPS requests on its behalf to the AirDroid API endpoints.”
The attacker could send a specially designed request to the AirDroid server, which will then send back the victim’s email, password, and other information. In order to install the malicious app update, an attacker would just need to run the man-in-the-middle attack and modify the traffic so it goes to a server he controls.
“Moreover, an attacker performing a MITM attack and redirecting HTTP traffic to a malicious transparent proxy, could modify the response for the /phone/vncupgrade request which is normally used by the application to check for add ons updates,” Margaritelli said. “Injecting a new update, thus remotely executing custom code on the target device, is just a matter of modifying this response.”
Zimperium disclosed the bugs to AirDroid’s maker in May and the company eventually released an updated version on Nov. 28, but that version was still vulnerable. A second update two days later didn’t fix the bugs either, so Zimperium released the details of the vulnerabilities on Dec. 1.