AirDroid has been a popular service on Android for years, allowing users to easily and wirelessly access the files on their smartphone from a PC, mirror notifications, and send/receive text messages. However, security company Zimperium has been tracking some major security vulnerabilities in the app for a few months now, and they’re still not fixed…
Nomad case for Pixel 3
In May of this year, Zimperium discovered several security issues in AirDroid. While the app’s developers acknowledge them, updated versions since then — including a major 4.0 release and the current 4.0.1 — still suffer from the same vulnerabilities.
The details are a bit complex, but the basic summary is that these vulnerabilities allow anyone on the same network as an AirDroid user to send a possibly malicious APK to the Android device. A prompt to install would show up on-screen, but users would ultimately still have the ability to cancel.
Furthermore, the hacker could execute an attack which would be used to obtain private account credentials, including, but not limited to, the username and password for the connected AirDroid account. Zimperium’s summary follows:
AirDroid relies on insecure communication channels in order to send the same data used to authenticate the device to their statistics server. Such requests are encrypted with DES ( ECB mode ) however the encryption key is hardcoded inside the application itself (thus known to an attacker). Any malicious party on the same network of the target device could execute a man in the middle attack in order to obtain authentication credentials and impersonate the user for further requests.
The video below shows the process in detail, but the biggest thing you should take away from this is that you may want to uninstall AirDroid from your device, or at the very least stop using it on a network that others can access.