Be careful when using Wi-Fi, ES File Manager will wipe out all your data

[[255972]]

If you use the popular file explorer app ES FileExplorer on any Android smartphone or tablet, be careful: a French security researcher, BaptisteRobert, has discovered a vulnerability in the app (tracked as CVE-2019-6447) that could allow hackers to access sensitive information on the device. He says the vulnerability exists in versions 4.1.9.7.4 and lower of the app.

French cybersecurity researcher Baptiste Robert (Twitter: @fs0c131y)

ES File Explorer

ES File Explorer has a huge user base, with more than 100 million installations on the Google Play Store and more than 400 million downloads worldwide since 2014. It is a very convenient, fast and efficient Android file management application. The application is so popular because it is completely free and includes an option to upgrade to ES FileManager Pro, which removes ads and provides new functional options. At the same time, this may mean that there are many vulnerable devices.

Local network vulnerability allows hackers to steal data

According to French cybersecurity researcher Baptiste Robert (Twitter: @fs0c131y), who goes by the handle ElliotAlderson on some online forums, the ES File Explorer app may include a small hidden web server running in the background. Although Robert is not entirely sure why the web server exists (he thinks it may have something to do with using an HTTP server on port 59777 to stream videos to other apps), he still concludes that the user's device is thus exposed to anyone on the local network, and any hacker on the same network as the infected device can use the open port connected to the web server to gain access to the device. And use that port to inject a JSON malicious payload.

Once hackers gain access, they can theoretically extract any file from a user's Android device, including photos, videos, text files, etc., and transfer them between hacker-infected devices. At the same time, hackers can also remotely launch various applications on infected devices.

Types of data that hackers can steal:

• List all files in the SD card of the victim device;
• List all images in the victim device;
• List all videos in the victim device;
• List all audio in the victim device;
• List all applications installed in the victim device;
• List all system applications installed in the victim device;
• List all apk files stored in the SD card of the victim’s device;
• Get device information of the victim device;
• Extract files from the victim device;
• Launch the selected application;
• Gets the icon for the application of your choice.

Although this vulnerability does exist, hackers must meet a prerequisite to launch an attack, that is, they must be in the same network as the victim user, such as connecting to the same Wi-Fi network. In other words, when users use private networks at home, this threat is not very serious. But if they are in public places, such as airports, coffee shops, libraries, etc., and use public networks, then the risk will increase exponentially.

Robert developed a proof-of-concept script to retrieve data from Android devices and SD cards running ES FileExplorer on the local network, as shown in the following figure:

[[255973]]

Another local vulnerability can be used for man-in-the-middle attacks

About four hours after Robert disclosed the CVE-2019-6447 open port vulnerability, Lukas Stefanko, an Android malware researcher at ESET, discovered another local vulnerability in ES File Explorer.

Potential attackers can use a man-in-the-middle (MitM) attack to intercept the application's HTTP network traffic and switch it with their own. Stefanko also said that all ES File Explorer versions v4.1.9.7.4 and below are affected by this MitM security vulnerability.

When the researchers contacted ES App Group, the developer of ES File Explorer, and reported the vulnerability, ES App Group apologized for the vulnerability. At the same time, the company said it has started to fix the vulnerability. However, the new version is still awaiting approval, so it may take several days to be available on the Google Play Store.