Security research firm Zimperium recently disclosed what they termed as “multiple vulnerabilities” in the popular Android app called AirDroid which is used generally to push SMS notifications from your device to another screen, particularly your laptop or desktop. Recently, the developers of AirDroid have focused on file transfers as well. It appears that a hacker on the same network as the connected devices would be able to intercept and steal data, as well as push an update that would lead to remote code execution.
The “man in the middle” attack is done when a hacker can get in between two connected devices and either steal sent data or push malicious code. AirDroid is a remote management tool popular with Android users, and it hinges on two devices being connected to the same network for the tool to be used properly. Zimperium has found that even in AirDroid’s latest version, communication channels between devices are not secure, and a malicious hacker on the same network could possibly obtain authentication credentials and impersonate the user for further requests.
This could lead to data being compromised, especially if you’re sending critical information from your phone to your laptop. Worse, this vulnerability could open up a hole where the hacker could push an update APK (installer) that when installed could give the hacker remote code execution on the Android device itself.
From Zimperium’s published calendar, they have initially informed AirDroid about these vulnerabilities in May of this year. After multiple follow-ups, the current version – AirDroid 3.0.1 – is still found to be vulnerable. Finally, AirDroid has responded with a blog post dated December 2nd, saying that they are hard at work to finally patch this vulnerability, and that we should expect an update soon.