Brief ===== Android App WheresMyDroid (10M - 50M installations) allows a malicious user to perform the following: - Take silent camera photos, automatically uploading them. - Getting the GPS location. - Possibly wiping the phone, locking and unlocking the device. - Upgrading the App to the Pro version. These are all possible via SMS messages. Disclosure timeline =================== April 20th, 2016: discovered issues. April 21st, 2016: contacted App developers with no response. May 1st, 2016: tried to contact App developers for the second time. May 7th, 2016: public disclosure. Technical details ================= The WheresMyDroid Android App listens to SMS messages and acts according to their content. Some operations (checking whether the App is running and upgrading to Pro) are hard-coded, while others have weak default values. More technical information and blog entry ============================== http://ift.tt/1Tzs71t
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment