AirDroid patches vulnerability that exposed millions of users to phone data hijacking

David bisson
David Bisson

Airdroid vulnerability

A vulnerability that left millions of AirDroid users vulnerable to phone data hijacking attacks has been patched.

AirDroid is a device manager app that grants Android users access to their devices through their computers, allowing them to manage their Android SMS messages, calls, notifications for other mobile apps including WhatsApp and Facebook, and more. The app is available on Android, Windows, Mac OS X, and via the web.

Approximately 50 million Android users from all over the world have installed AirDroid onto their devices.

Sign up to our free newsletter.
Security news, advice, and tips.

According to researchers, each and every one of them was recently vulnerable to a flaw that (if exploited) could have enabled an attacker to steal their devices’ information.


On Wednesday, Oded Vanunu, group manager of security research and penetration at Check Point, published a blog post in which he explains how one of his researchers discovered a flaw (CVE-2015-8112) that allowed an attacker to execute malicious code during an AirDroid session.

Exploitation of this vulnerability was child’s play, according to Vanunu:

“To exploit the vulnerability, a potential attacker simply needs to send the target a text message from a saved contact that is ‘inserted’ inside the AirDroid interface. Attackers can send their targets a seemingly innocent contact card (vCard) containing malicious code via any service (MMS/WhatsApp/email/etc.). All an attacker needs is the phone number associated with the targeted account.”

Airdroid vCard

As is evident in the sample malicious contact card above, there’s nothing to tip off an AirDroid user about the request’s malicious intent.

But rest assured, if a user approves the request, all it takes is a text message from the fake contact card for the malicious code to execute on the victim’s device.

At that point in time, the attacker can then get a valid session token and exploit the AirDroid API.

Airdroid exploit

“The AirDroid attack flow provides cybercriminals with a very easy way to target users: sending a contact card and an SMS message to execute the attack. The main threat is a complete theft of private information – imagine, for example, that just receiving an SMS message can result in all of the user’s data being stolen. Another threat is that an attacker could control the content of the target’s device.”

On January 29, 2016, AirDroid released an update that contained a fix for the vulnerability. But as Vanunu is careful to point out, many other flaws that could result in phone data hijacking attacks have yet to be patched or even discovered.

Users are therefore urged to exercise caution when approving a contact request from an individual they might not know or may not be expecting. They should also run a mobile anti-virus solution on their device at all times and be careful to download apps from reputable providers only.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.