peshkova - Fotolia
How can the AirDroid app phone hijacking be prevented?
A vulnerability in the AirDroid device manager app left users at risk of phone hijacking. Expert Michael Cobb explains how the exploit works, and what can be done to prevent it.
A severe Android app vulnerability was discovered recently by Check Point researchers. According to their report, the AirDroid device manager app contained a flaw that put approximately 50 million users at risk of phone data hijacking. How does the vulnerability work, and besides patching the AirDroid app, what other measures can security teams take to avoid data hijacking?
AirDroid is a popular Android device manager application that allows users to remotely access and control their Android phone or tablet from their computer. Using the AirDroid app, users can manage SMS, email, WhatsApp messages, files, contacts, photos and other data direct from their desktop. The Android device can either be directly connected to the desktop or in some other location. While researching the app, Check Point found a vulnerability that would allow an attacker to take control of the Android device.
To exploit the vulnerability, an attacker needs to know their victim's phone number. Once they have this, all they need to do is send a specially crafted vCard, designed to look like a legitimate contact, to the target via SMS, email or WhatsApp. Malicious code can be hidden in the vCard's name field. If the victim accepts and saves the vCard using the AirDroid desktop client, the attacker then sends a text message from the fake contact. When the victim reads the message using the AirDroid app, the malicious code is loaded and executed inside the AirDroid webpage. This gives the attacker a valid session token with which to exploit the AirDroid app's APIs and its PC-to-mobile synchronization abilities, enabling them to collect and extract data from the phone or do anything else the AirDroid app can, such as sending SMS messages.
This isn't the first vulnerability associated with contact cards being shared among users. Check Point found that WhatsApp Web, the web-based extension of the WhatsApp phone app, allowed attackers to compromise a victim's computer by sending them a vCard containing malicious code.
AirDroid released an updated version of their app that contains a fix for the vulnerability in January and network administrators need to ensure that users have it installed. This is best done using a mobile threat prevention or mobile device management solution like those from Check Point, ESET, FireEye and other antivirus vendors. These products allow IT managers to monitor the patching of their mobile environment and alert users who are at risk from unpatched vulnerabilities. Security awareness training should promote the best practice of always entering contact details by hand and to never accept an unexpected vCard, or one from an unknown number or contact.
Ask the Expert: Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)