14 DAY TRIAL // A bug in the AirDroid desktop client allowed attackers to steal data from Android devices by leveraging the application's PC-to-mobile synchronization abilities.
AirDroid is an application that lets users control their Android device from their desktops. There's an official Android app available on the Google Play Store, which users install on their device, but also Mac and Windows clients from where users can manage their smartphone.
These clients allow users to manage their data and interact with Android apps, but from their desktop, with the phone connected to the PC or in a remote location. As you might imagine, the app is extremely successful, and according to Google's data, has been installed on over 50 million devices.
The attack leverages contact cards sent via SMS, email, or WhatsApp
In the autumn of 2015, Check Point's Kasif Dekel discovered that the desktop clients were vulnerable to a simple attack that could be carried out via malicious contact cards (vCards).
The way this attack is executed is by entering malicious code in the vCard's name field and then sharing a contact card with the victim, via SMS, WhatsApp, or email.
If the victim accepts the incoming contact card via his AirDroid desktop client, then the malicious code will be executed. The attacker's payload can be specifically designed to leverage AirDroid's APIs and then send the malicious code to the remote Android device.
Attackers have control over the device via AirDroid's APIs
There, attackers can steal the user's contact list, send SMS messages on his behalf, and anything else the AirDroid app can execute on the smartphone.
What makes this attack dangerous is that when receiving the contact card, the user won't see any trace of the attacker's malicious payload in the card's name field. Because there have been other vulnerabilities that leveraged contact cards shared among users, the best way is to stop accepting vCards from other users and just enter a person's details in your smartphone by hand.
Mr. Dekel contacted AirDroid in November 2015, and the company released a fix at the end of January 2016. The version that patched this vulnerability is AirDroid 3.2.0.
