The AirDroid app for Android has surpassed 20 million downloads from the Google Play store and has received raving reviews from the likes of USA Today and Lifehacker. The app’s function is to help a user organize his or her life by providing the remote ability to send text messages, edit files, manage other apps, and even perform GPS tracking.
Unfortunately, for all its accolades, AirDroid is vulnerable to a pretty serious authentication bug.
This bug allows a remote attacker to essentially take over an otherwise unsuspecting victim’s phone. All an attacker needs to do is to send a malicious link; all a victim needs to do is click on it.
The attack can be carried out silently, meaning that it works even when the app isn’t operating. Just having it installed on a device is enough.
Once an attacker gains access to a victim’s phone, the possibilities are plentiful. An attacker can:
• Take photos of the victim via the phone’s camera.
• Track the victim via GPS.
• Harass the victim’s friends and family via contacts.
Basically, anything that AirDroid can access becomes fair game for an attacker.
This proof-of-concept video shows the AirDroid exploit in action.
The following is a play-by-play description:
1.) The attacker sends the victim an innocent-seeming link.
2.) The victim takes the bait and clicks the link.
3.) Click! The attacker – specifically, his or her website – now has control of the victim’s phone.
4.) The webpage opens, sending a text message to the victim and taking a photo of him or her as well.
5.) The photo is sent to the attacker, who then uses it to taunt the victim.
For a more technical explanation, check out our official advisory write-up.
You don’t have to be a victim to this sort of exploit, though. There is a solution: We disclosed the bug to AirDroid’s team, and they were more than happy to work with us. They have released a fix in their web interface's most recent version. We have tested this, and have found it more than adequate.
The more important lesson here, though, goes far beyond this particular bug. Careful scrutiny is a must when allowing mobile applications extensive permissions. Therefore, exercise caution when permitting an app pervasive access to your phone. It’s easy to be desensitized to lengthy permission lists, as so many apps come with overbearing requests for access. Most people are fast to ignore these lists and accept all requests for the sake of convenience. For example, when installing AirDroid, this list of permissions is displayed:
When saying “okay” to all of these items, you’re placing your trust not only in the app itself, but also in its security. Our advice is to consider whether or not an app truly needs all the access it’s asking for. For example, does a flashlight app require access to your phone contacts? Probably not. If an app seems like it's requesting too many permissions, it most likely is.
AirDroid is a best-case scenario, but there will likely be – and probably already are – apps with similar unresolved vulnerabilities that can be leveraged by attackers. The best advice to avoid falling for such attacks is to be mindful of an app’s level of permissions. The more permissions you give, the more you may be putting yourself at risk.