Multiple vulnerabilities have been found in AirDroid, which leaves millions vulnerable to man-in-the-middle (MITM) attacks, information leakage and remote hijacking.
AirDroid, a popular remote management tool for Android with an estimated user base of more than 50 million devices, relies on insecure communication channels to send the data used to authenticate the device to a statistics server, according to researchers at Zimperium's zLabs.
Such requests are encrypted; however, the encryption key is hardcoded inside the application itself (and thus known to an attacker). So, any malicious party on the same network of the target device could execute a MITM attack in order to obtain authentication credentials and impersonate the user for further requests on its behalf to the AirDroid API endpoints.
For instance, an attacker performing an MITM attack and redirecting HTTP traffic to a malicious transparent proxy could modify the response for the /phone/vncupgrade request, which is normally used by the application to check for add-ons and updates. By injecting a new update, the attacker can remotely execute custom code on the target device.
According to an analysis from Simone Margaritelle, a zLabs researcher, the flaws have been acknowledged by the vendor, but when a new update was released on Nov. 24, the software was still vulnerable. No patch has been made available.
Mitigations include using only secure communication channels, verifying the remote public key in order to avoid SSL MITM, and, for additional encryption, using safe key exchange mechanisms such as Diffie-Hellman instead of hardcoded encryption keys inside the app. Users should also leverage and verify digital signatures for update files.
The safest course of action of course is to uninstall or disable AirDroid until a fix is available.