Skip to main content

Popular Android remote app AirDroid is vulnerable to hacks

If you’re an Android user, you may have heard of AirDroid, a souped-up remote control app that lets you wirelessly connect to an Android phone or tablet. It’s impressively robust: you can respond to text messages directly from your PC, dismiss or answer an incoming call, silence notifications from certain apps, and even transfer files and photos simply by clicking and dragging. But it’s also frighteningly vulnerable to hacks: according to research firm Zimperium, a nasty security hole has left “tens of millions” of AirDroid’s users susceptible to data-stealing attackers.

At fault is the app’s weak method of encryption. In a blog post published Friday, Zimperium reported that AirDroid’s key — a digital passcode made up of a combination of numbers, letters, and characters — that it uses to obfuscate sensitive updates and data is both “static” and “easily detectable.” And while AirDroid uses the industry-standard HTTPS security protocol to handle most files, the app transfers crucial bits over unencrypted HTTP.

Recommended Videos

That opens the door for a reasonably skilled hacker to perform what’s known as a man-in-the-middle attack: using a third-party computer to impersonate AirDroid’s servers, deliver fraudulent app updates, and view sensitive information. In this manner, hackers could steal email addresses and passwords, surreptitiously install apps, or even replace the legitimate AirDroid application with a malicious replica.

“A malicious party on the same network as the victim can leverage this vulnerability to take full control of their device,” Simone Margaritelli, Zimperium’s principle security researcher, told Ars Techica. “Moreover, the attacker will be able to see the user’s sensitive information … As soon as the update, or fake update, is installed the software automatically launches the updated [Android app file] without ever verifying who built it.”

Zimperium disclosed the vulnerability to AirDroid in May, but it remains present in the newest major release of AirDroid — version 4 — launched in mid-November. A subsequent patch, version 4.0.0.1, doesn’t appear to have addressed the flaw. And San Studios, the development team behind AirDroid, has yet to respond to Zimperium’s accusations.

In a statement published to the official AirDroid blog, Sand Studio said it hoped to have a fix ready within two weeks.

If you’re an active AirDroid user, your options are relatively few.

Android limits the extent to which malicious apps can modify your phone’s files, but AirDroid has more access than most. It can make app purchases, and can access contacts, text messages, device location, camera, microphone, photos, Wi-Fi connection data, device ID, and call information. And a malicious update posing as a legitimate one could request additional permissions.

A virtual private network, or VPN, is a potential — but imperfect — solution. VPNs add a layer of security to unencrypted networks, providing a measure of protection from attackers. Ars Technica notes, though, there’s no guarantee a hacker won’t work around it by employing a captive portal — the sort of web page that hotels and airlines use to collect payment and registration information — to kick a VPN user to a compromised connection.

Until the problem’s patched, you’re best off using AirDroid only on wireless networks that you know and trust. If you rely on public Wi-Fi, though, you’re safest disabling or uninstalling AirDroid until a patch is in place.

Kyle Wiggers
Kyle Wiggers is a writer, Web designer, and podcaster with an acute interest in all things tech. When not reviewing gadgets…
A must-try Android app has finally arrived on the iPhone
Person holding a phone with Google Gemini Live being shown.

A few days ago, Google Gemini appeared in the Apple App Store for a user in the Philippines, who was even able to download it. We took it as a sign that the new AI assistant would soon make its way to the App Store in the U.S. Well, we were right, as you can now download Gemini as a standalone app on your iPhone, after previously only being able to access it through a browser.

The Gemini app is free to download and has a surprising number of features available. More powerful functions are available for a $20-per-month subscription, but you can try Gemini Advanced out for one month for free. It grants priority access to new features and gives a "1 million token" context window.

Read more
These Samsung phones are at risk for a big security vulnerability
The Galaxy Note 20 Ultra in hand.

Samsung Semiconductor has confirmed that certain Samsung phones, as well as others, are vulnerable to a “privilege escalation” hack identified earlier this year by Google security researchers. This issue concerns older devices with the Exynos 9820, 9825, 980, 990, 850, and W920 chipsets.

Though Samsung didn’t indicate which handsets are affected, Tom’s Guide did, and the list includes some familiar devices. These include the Exynos 990-equipped Galaxy S20 series and Galaxy Note 20 and the Exynos 980-equipped Galaxy S10 series and Galaxy Note 10. Thankfully, if you purchased any of these phones in the U.S., they have Qualcomm Snapdragon chips installed and are not affected.

Read more
This new Android phone looks like a photographer’s dream
Sharp Aquos R9 Pro

Sharp has announced an intriguing new phone aimed at mobile photographers. It's called the Sharp Aquos R9 Pro, and while it may not have the best name, there's a lot to talk about here.

The Aquos R9 Pro has many interesting features, starting with its gigantic camera bump on the back, which houses three powerful cameras: a 50.3-megapixel primary camera, a 50.3MP telephoto camera, and a 50.3MP ultrawide camera. The cameras are surrounded by a vegan leather backplate.

Read more