Skip to main content

Popular Android remote app AirDroid is vulnerable to hacks

airdroid vulnerable to attack by hackers rsz 1rsz img 20161202 102606
Image used with permission by copyright holder
If you’re an Android user, you may have heard of AirDroid, a souped-up remote control app that lets you wirelessly connect to an Android phone or tablet. It’s impressively robust: you can respond to text messages directly from your PC, dismiss or answer an incoming call, silence notifications from certain apps, and even transfer files and photos simply by clicking and dragging. But it’s also frighteningly vulnerable to hacks: according to research firm Zimperium, a nasty security hole has left “tens of millions” of AirDroid’s users susceptible to data-stealing attackers.

At fault is the app’s weak method of encryption. In a blog post published Friday, Zimperium reported that AirDroid’s key — a digital passcode made up of a combination of numbers, letters, and characters — that it uses to obfuscate sensitive updates and data is both “static” and “easily detectable.” And while AirDroid uses the industry-standard HTTPS security protocol to handle most files, the app transfers crucial bits over unencrypted HTTP.

Recommended Videos

That opens the door for a reasonably skilled hacker to perform what’s known as a man-in-the-middle attack: using a third-party computer to impersonate AirDroid’s servers, deliver fraudulent app updates, and view sensitive information. In this manner, hackers could steal email addresses and passwords, surreptitiously install apps, or even replace the legitimate AirDroid application with a malicious replica.

“A malicious party on the same network as the victim can leverage this vulnerability to take full control of their device,” Simone Margaritelli, Zimperium’s principle security researcher, told Ars Techica. “Moreover, the attacker will be able to see the user’s sensitive information … As soon as the update, or fake update, is installed the software automatically launches the updated [Android app file] without ever verifying who built it.”

Zimperium disclosed the vulnerability to AirDroid in May, but it remains present in the newest major release of AirDroid — version 4 — launched in mid-November. A subsequent patch, version 4.0.0.1, doesn’t appear to have addressed the flaw. And San Studios, the development team behind AirDroid, has yet to respond to Zimperium’s accusations.

In a statement published to the official AirDroid blog, Sand Studio said it hoped to have a fix ready within two weeks.

If you’re an active AirDroid user, your options are relatively few.

Android limits the extent to which malicious apps can modify your phone’s files, but AirDroid has more access than most. It can make app purchases, and can access contacts, text messages, device location, camera, microphone, photos, Wi-Fi connection data, device ID, and call information. And a malicious update posing as a legitimate one could request additional permissions.

A virtual private network, or VPN, is a potential — but imperfect — solution. VPNs add a layer of security to unencrypted networks, providing a measure of protection from attackers. Ars Technica notes, though, there’s no guarantee a hacker won’t work around it by employing a captive portal — the sort of web page that hotels and airlines use to collect payment and registration information — to kick a VPN user to a compromised connection.

Until the problem’s patched, you’re best off using AirDroid only on wireless networks that you know and trust. If you rely on public Wi-Fi, though, you’re safest disabling or uninstalling AirDroid until a patch is in place.

Kyle Wiggers
Former Digital Trends Contributor
Kyle Wiggers is a writer, Web designer, and podcaster with an acute interest in all things tech. When not reviewing gadgets…
The OnePlus Nord 4 does one thing better than any other Android phone
OnePlus Nord 4 Midnight black with metal back held in hand.

Other than a few deviations, OnePlus has a penchant for value products. The premium OnePlus 12 offers a (mostly) superior set of features and a refined experience over similarly-priced flagships such as the Galaxy S24 Plus or the Pixel 8 Pro. Similarly, the $500 OnePlus 12R offers exceptional performance and a flagship-like experience for its price. The OnePlus Nord 4, which sits in a price bracket right under the 12R, has its own benefits, but one that stands out is its metal back.

The OnePlus Nord 4 is the first and currently the only 5G phone to feature a metal back panel. Not only is it a striking design but it also has another trait that perceivably makes it more exciting than other phones: Its metal body potentially helps improve performance.

Read more
An Android phone launching next week has a spec we’ve never seen before
A person holding the Nothing Phone 2a, showing the Glyph Lights.

Nothing, the smartphone company from CEO Carl Pei, is unveiling a new phone next week: the Nothing Phone 2a Plus. In typical Nothing fashion, we’re getting a steady drip of information on the new phone as Nothing continues to tease it ahead of the release.

In a post on X (formerly Twitter), Nothing has revealed the chipset that will be making its exclusive worldwide debut with the Nothing Phone 2a Plus: the MediaTek Dimensity 7350 Pro. This new processor can clock speeds up to 3GHz, which makes the Nothing Phone 2a Plus 10% faster than the Nothing Phone 2a.

Read more
Google is getting ready to remove lots of Android apps from the Play Store
Samsung Galaxy S23 showing Google Play Store

Starting next month, Google will require apps on the Play Store to provide a "stable, engaging, responsive user experience." If they don't, the company plans to eventually remove those apps from the store.

This policy is part of Google's latest spam policy update and is designed to eliminate apps with "limited functionality and content," such as text-only apps and single wallpaper apps. The new rules take effect on Saturday, August 31.

Read more