Poor implementation of encryption in a popular Android remote management application exposes millions of users to data theft and remote code execution attacks.

According to researchers from mobile security firm Zimperium, the AirDroid screen-sharing and remote-control application sends authentication information encrypted with a hard-coded key. This information could allow man-in-the-middle attackers to push out malicious AirDroid add-on updates, which would then gain the permissions of the app itself.

AirDroid has access to a device’s contacts, location information, text messages, photos, call logs, dialer, camera, microphone and the contents of the SD card. It can also perform in-app purchases, change system settings, disable the screen lock, change network connectivity and much more.

To read this article in full or to leave a comment, please click here