AirDroid for Android is a very popular App among smartphone users and has been downloaded 20 million times with a overall 4.5 stars ratings from reviewers on Google Play. Researchers at Bishop Fox have discovered that it is vulnerable to a pretty serious authentication bug which can be exploited even if the AirDroid for Android App is not being used. Once an attacker gains access to a victim’s phone, an attacker can perform actions such as taking photos via the phone’s camera, track the victim via GPS, send messages and harass the victim’s contacts, Bishop Fox’s Matt Bryant explained in a blog post. Matt explains the modus operandi of the potential hacker : 1.) The attacker sends the victim an innocent-seeming link. 2.) The victim takes the bait and clicks the link. 3.) Click! The attacker – specifically, his or her website – now has control of the victim’s phone. 4.) The webpage opens, sending a text message to the victim and taking a photo of him or her as well. 5.) The photo is sent to the attacker, who then uses it to taunt the victim. The proof-of-concept video is given below
Matt says that they had informed the AirDroid security team of this serious vulnerability and AirDroid has now patched the same. Android smartphone users can download the updated version of AirDroid from here.