For at least the
past six months, a popular remote management app available in the official
Google Play Store has opened tens of millions of Android users to
code-execution and data-theft attacks when they use unsecured networks,
researchers said Thursday.
AirDroid,
which has been downloaded 10 million to 50 million times from the official
Google Play Store, uses a static and easily detectable encryption key when
transmitting update files and sensitive user data, according to a blog
post published by security firm Zimperium. Attackers who are on the same
network can exploit the weakness to push fraudulent updates or view potentially
sensitive user information, including the international mobile equipment
identity and international
mobile subscriber identity designations that are unique to each phone.
"A malicious
party on the same network as the victim can leverage this vulnerability to
remotely gain full control of their device," Simone Margaritelli,
principal security researcher at Zimperium's zLabs, told Ars. "Moreover,
the attacker will be able to see the user's sensitive information such as the
IMEI, IMSI, and so forth. As soon as the update, or fake update, is installed
the software automatically launches the updated [Android app file] without ever
verifying who built it."
Here's a video
showing a Zimperium-developed proof-of-concept attack exploiting the weakness:
The vulnerability,
which Zimperium privately reported to AirDroid developers in May, remained
present in AirDroid version 4.0, which was released in
mid-November. On Wednesday, AirDroid developers released
version 4.0.0.1, and that too remains vulnerable.
No comments:
Post a Comment