Skip to main content

Popular Android remote app AirDroid is vulnerable to hacks

airdroid vulnerable to attack by hackers rsz 1rsz img 20161202 102606
Image used with permission by copyright holder
If you’re an Android user, you may have heard of AirDroid, a souped-up remote control app that lets you wirelessly connect to an Android phone or tablet. It’s impressively robust: you can respond to text messages directly from your PC, dismiss or answer an incoming call, silence notifications from certain apps, and even transfer files and photos simply by clicking and dragging. But it’s also frighteningly vulnerable to hacks: according to research firm Zimperium, a nasty security hole has left “tens of millions” of AirDroid’s users susceptible to data-stealing attackers.

At fault is the app’s weak method of encryption. In a blog post published Friday, Zimperium reported that AirDroid’s key — a digital passcode made up of a combination of numbers, letters, and characters — that it uses to obfuscate sensitive updates and data is both “static” and “easily detectable.” And while AirDroid uses the industry-standard HTTPS security protocol to handle most files, the app transfers crucial bits over unencrypted HTTP.

That opens the door for a reasonably skilled hacker to perform what’s known as a man-in-the-middle attack: using a third-party computer to impersonate AirDroid’s servers, deliver fraudulent app updates, and view sensitive information. In this manner, hackers could steal email addresses and passwords, surreptitiously install apps, or even replace the legitimate AirDroid application with a malicious replica.

“A malicious party on the same network as the victim can leverage this vulnerability to take full control of their device,” Simone Margaritelli, Zimperium’s principle security researcher, told Ars Techica. “Moreover, the attacker will be able to see the user’s sensitive information … As soon as the update, or fake update, is installed the software automatically launches the updated [Android app file] without ever verifying who built it.”

Zimperium disclosed the vulnerability to AirDroid in May, but it remains present in the newest major release of AirDroid — version 4 — launched in mid-November. A subsequent patch, version 4.0.0.1, doesn’t appear to have addressed the flaw. And San Studios, the development team behind AirDroid, has yet to respond to Zimperium’s accusations.

In a statement published to the official AirDroid blog, Sand Studio said it hoped to have a fix ready within two weeks.

If you’re an active AirDroid user, your options are relatively few.

Android limits the extent to which malicious apps can modify your phone’s files, but AirDroid has more access than most. It can make app purchases, and can access contacts, text messages, device location, camera, microphone, photos, Wi-Fi connection data, device ID, and call information. And a malicious update posing as a legitimate one could request additional permissions.

A virtual private network, or VPN, is a potential — but imperfect — solution. VPNs add a layer of security to unencrypted networks, providing a measure of protection from attackers. Ars Technica notes, though, there’s no guarantee a hacker won’t work around it by employing a captive portal — the sort of web page that hotels and airlines use to collect payment and registration information — to kick a VPN user to a compromised connection.

Until the problem’s patched, you’re best off using AirDroid only on wireless networks that you know and trust. If you rely on public Wi-Fi, though, you’re safest disabling or uninstalling AirDroid until a patch is in place.

Editors' Recommendations

Kyle Wiggers
Former Digital Trends Contributor
Kyle Wiggers is a writer, Web designer, and podcaster with an acute interest in all things tech. When not reviewing gadgets…
Nothing’s iMessage for Android app is unbelievably bad
The Nothing Chats splash page in the app.

Earlier this week, Nothing did the unexpected and launched the "Nothing Chats" app for the Nothing Phone 2. The premise? Let anyone with a Nothing Phone 2 send and receive texts via iMessage. Nothing partnered with Sunbird to make Nothing Chats work, with Nothing essentially using Sunbird's own messaging tech to bring iMessage to Android.

It was a bold idea ... but one that was short-lived. That's because Nothing Chats is already dead (for the time being) due to a shocking number of security vulnerabilities that were discovered almost immediately. And by security vulnerabilities, we don't mean minor oversights that could have been easy to overlook. We're talking about major, game-breaking design flaws that massively compromise the personal information of anyone who used Nothing Chats.
The problem with Nothing Chats
iMessage on an iPhone 15 Pro Max (left) and Nothing Chats on a Nothing Phone 2 Andy Boxall / Digital Trends

Read more
Qualcomm’s newest chip will bring AI to cheaper Android phones
Qualcomm Snapdragon 7 Gen 3 artwork.

Qualcomm has a new mobile platform on the table, and this one targets upper-midrange smartphones and promises to bring some new AI tricks. The latest from the chipmaker is the Snapdragon 7 Gen 3, which technically succeeds the Snapdragon 7+ Gen 2, but the company is comparing most of the improvements against the older Snapdragon 7 Gen 1. 
The new platform is said to bring a 15% boost in processing power, a 20% rise in energy efficiency, and a massive 50% jump in graphics capabilities. Based on the 4nm fabrication process, it packs a single prime core, a trio of performance cores, and four efficiency cores. Interestingly, these cores are clocked at a lower frequency compared to those on the Snapdragon 7+ Gen 2. However, this won't be the only area where Qualcomm's latest sounds like a mixed bag.
Qualcomm says the new chip improves AI-assisted face detection accuracy, but it adds that AI also lends a hand at tasks like making sense of routines and how users interact with apps. There are also a handful of new software-side enhancements coming to the Snapdragon Gen 7 series for the first time. 
Those include an AI re-mosaicing system for reducing grainy textures in photos, bringing down noise, and video retouching. Support for Ultra HDR is also a first for the midrange chip. Spatial audio with head tracking and CD-quality wireless audio are a part of the package as well.

The Snapdragon 7 Gen 3 jumps to the X63 cellular modem that promises a higher downlink speed of up to 5Gbps. Interestingly, it adopts the Fast Connect 6700 Bluetooth + Wi-Fi modem instead of the speedier Fast Connect 6900 modem on the Snapdragon 7+ Gen 2. 
The camera capabilities situation is also interesting. The Snapdragon 7 Gen 3 relies on a triple 12-bit ISP system, while the Snapdragon 7+ Gen 2 puts its trust in a more advanced triple 18-bit ISP architecture. The latter allows higher-resolution photo and video capture in single and dual camera configurations. 
In fact, the Snapdragon 7 Gen 3’s ISP steps down to 120 frames-per-second (fps) slo-mo video capture compared to the 1080p 240 fps video recording allowed by its direct predecessor. Overall, it seems like Qualcomm jumped into its parts bin and crafted a half-new midrange chip for Android phones.
Qualcomm says China’s Vivo and Honor are the first adopters of the Snapdragon 7 Gen 3. The first wave of phones powered by the new chip is expected to be announced later this month. 

Read more
One of our favorite Android phones just got its own iMessage app
Nothing Chats app on a. phone.

Nothing is trying to bridge the great blue/green bubble divide for Android users of iMessage. This is not a personal crusade to shatter walls and open windows, as much as Nothing CEO Carl Pei would want you to believe that. Instead, Nothing is piggybacking on tech created by New York-based startup Sunbird. 
Technically, the Sunbird app can be installed on any Android phone and it features a blue bubble for all iMessage text exchanges involving an Android phone. No more green bubble shame that could get you kicked out of groups for disrupting the harmony or even slim your dating chances. That’s how bad it is! 
Nothing is adopting the Sunbird tech and bundling it as its very own app under the name Nothing Chats. But here’s the fun part. The app only works on the Nothing Phone 2 and not the Nothing Phone 1. And this life-altering boon will only be bestowed upon users in the U.S., Canada, the U.K., or the EU bloc.

The app is currently in the beta phase, which means some iMessage features will be broken or absent. Once the app is downloaded on your Nothing Phone 2, you can create a new account or sign up with your Apple ID to get going with blue bubble texts. 
Just in case you’re concerned, all messages will be end-to-end encrypted, and the app doesn’t collect any personal information, such as the users’ geographic location or the texts exchanged. Right now, Sunbird and Nothing have not detailed the iMessage features and those that are broken. 
We made iMessage for Android...
The Washington Post tried an early version of the Nothing Chats app and notes that the blue bubble system works just fine. Texts between an Android device and an iPhone are neatly arranged in a thread, and multimedia exchange is also allowed at full quality. 
However, message editing is apparently not available, and a double-tap gesture for responding with a quick emoji doesn’t work either. We don’t know when these features will be added. Nothing's Sunbird-based app will expand to other territories soon. 
Sunbird, however, offers a handful of other tricks aside from serving the iMessage blue bubble on Android. It also brings all your other messaging apps, such as WhatsApp and Instagram, in one place. This isn’t an original formula, as Beeper offers the same convenience.

Read more