Cybersecurity researchers on Thursday revealed security issues in the Android app developed by Chinese drone-maker Da Jiang Innovations (DJI) that comes with an auto-update mechanism that bypasses Google Play Store and could be used to install malicious applications and transmit sensitive personal information to DJI’s servers.
The twin reports, courtesy of cybersecurity firms Synacktiv and GRIMM, found that DJI’s Go 4 Android app not only asks for extensive permissions and collects personal data (IMSI, IMEI, the serial number of the SIM card), it makes of anti-debug and encryption techniques to thwart security analysis.
“This mechanism is very similar to command and control servers encountered with malware,” Synacktiv said.
“Given the wide permissions required by DJI GO 4 — contacts, microphone, camera, location, storage, change network connectivity — the DJI or Weibo Chinese servers have almost full control over the user’s phone.”
The Android app has over one million installs via the Google Play Store. But the security vulnerabilities identified in the app don’t apply to its iOS version, which is not obfuscated, nor does it have the hidden update feature.
A “Shady” Self-Update Mechanism
GRIMM said the research was undertaken in response to a security audit requested by an unnamed defence and public safety technology vendor that sought to “investigate the privacy implications of DJI drones within the Android DJI GO 4 application.”
Reverse engineering the app, Synacktiv said it uncovered the existence of a URL (“hxxps://service-adhoc.dji.com/app/upgrade/public/check”) that it uses to download an application update and prompt the user to grant permission to “Install Unknown Apps.”
“We modified this request to trigger a forced update to an arbitrary application, which prompted the user first for allowing the installation of untrusted applications, then blocking him from using the application until the update was installed,” the researchers said.
images from Hacker News