A severe Android app vulnerability was discovered recently by Check Point researchers. According to their report,...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
the AirDroid device manager app contained a flaw that put approximately 50 million users at risk of phone data hijacking. How does the vulnerability work, and besides patching the AirDroid app, what other measures can security teams take to avoid data hijacking?
AirDroid is a popular Android device manager application that allows users to remotely access and control their Android phone or tablet from their computer. Using the AirDroid app, users can manage SMS, email, WhatsApp messages, files, contacts, photos and other data direct from their desktop. The Android device can either be directly connected to the desktop or in some other location. While researching the app, Check Point found a vulnerability that would allow an attacker to take control of the Android device.
To exploit the vulnerability, an attacker needs to know their victim's phone number. Once they have this, all they need to do is send a specially crafted vCard, designed to look like a legitimate contact, to the target via SMS, email or WhatsApp. Malicious code can be hidden in the vCard's name field. If the victim accepts and saves the vCard using the AirDroid desktop client, the attacker then sends a text message from the fake contact. When the victim reads the message using the AirDroid app, the malicious code is loaded and executed inside the AirDroid webpage. This gives the attacker a valid session token with which to exploit the AirDroid app's APIs and its PC-to-mobile synchronization abilities, enabling them to collect and extract data from the phone or do anything else the AirDroid app can, such as sending SMS messages.
This isn't the first vulnerability associated with contact cards being shared among users. Check Point found that WhatsApp Web, the web-based extension of the WhatsApp phone app, allowed attackers to compromise a victim's computer by sending them a vCard containing malicious code.
AirDroid released an updated version of their app that contains a fix for the vulnerability in January and network administrators need to ensure that users have it installed. This is best done using a mobile threat prevention or mobile device management solution like those from Check Point, ESET, FireEye and other antivirus vendors. These products allow IT managers to monitor the patching of their mobile environment and alert users who are at risk from unpatched vulnerabilities. Security awareness training should promote the best practice of always entering contact details by hand and to never accept an unexpected vCard, or one from an unknown number or contact.
Ask the Expert: Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Learn about the Blackphone vulnerability patch to prevent phone hijacking
Read about the security tool indicating a rise in Android app vulnerabilities
Find out how to determine mobile app safety and mitigate threats
Dig Deeper on BYOD and mobile device security best practices
Related Q&A from Michael Cobb
A technique known as the GhostHook attack can get around PatchGuard, but Microsoft hasn't patched the flaw. Expert Michael Cobb explains why, as well...continue reading
Software developed by the hacking group Platinum takes advantage of Intel AMT to bypass the built-in Windows firewall. Expert Michael Cobb explains ...continue reading
Tensions between the U.S. and Russia have led to source code reviews on security products, but the process isn't new. Expert Michael Cobb explains ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.