Android device manager app vuln leaves millions at risk of pwnage

Flaws in a widely used Android device manager app leave users at risk of phone data hijacking and malicious code execution unless they update their smartphones, security researchers warn.

Flaws in the AirDroid, a free device manager app which allows users to access their Android devices through their computers, leave an estimated 50 million users exposed to potential hacking unless they patch, Check Point warns.

Attacks could take the form of something as simple as a booby-trapped SMS message or contact request. Once exploited, the security flaw would enables attackers to execute malicious code on a compromised device before siphoning off sensitive data or pulling off other hacker attacks.

“The AirDroid attack flow provides cybercriminals with a very easy way to target users: sending a contact card and an SMS message to execute the attack,” said Oded Vanunu, security research group manager at Check Point. “The main threat is a complete theft of private information – imagine, for example, that just receiving an SMS message can result in all of the user’s data being stolen. Another threat is that an attacker could control the content of the target’s device.”

Check Point notified AirDroid of the vulnerability last November. AirDroid rolled out the initial fix in web clients worldwide days later. But AirDroid released an update to its application that contains the latest fix [version 3.2.0] on 29 January, or around three weeks before Check Point went public with its discovery on Wednesday.

We asked AirDroid for comment and were told: “This issue has been fixed… please update to the latest version with more useful features."

AirDroid users who haven’t done so already are urged to update their application. ®