A French cybersecurity researcher is reporting that Android ES File Explorer app can allow others on your local network to remotely access a file on your phone.
The app, which has more than 100 million Android installs and is designed to allow for the management of all varieties of file types, has a major open port issue allowing access to the device, found Elliot Alderson.
“The surprise is: if you opened the app at least once, anyone connected to the same local network can remotely get a file from your phone,” Alderson tweeted.
What happens is each time the app is opened an HTTP server is started and is opening locally on port 59777. On this port, an attacker can send a JSON payload to the target, Alderson said. A proof of concept of the vulnerability is posted on Github.
Craig Young, computer security researcher for Tripwire’s VERT, told SC Media the problem is even more severe than Alderson noted as the intruder does not have to be on the same network.
“The truth is that attackers do not need to be on the same network as the victim phone thanks to DNS rebinding. With this attack model, a web site loaded on the phone or by any user on the same network can directly interact with the vulnerable HTTP server. This enables a remote attacker to harvest files and system information from vulnerable devices. An attack could be launched through hacked web pages, malicious advertising, or even a tweeted video,” he said.