The Android app developed by Chinese drone-maker Da Jiang Innovations (DJI) was found to have a new security flaw. The app comes with an auto-update mechanism that bypasses Google Play Store and could be used to install malicious applications and transmit sensitive personal information to DJI’s servers.
According to cybersecurity firms Synacktiv and GRIMM, DJI’s Go 4 Android app not only asks for extensive permissions and collects personal data (IMSI, IMEI, the serial number of the SIM card), it makes of anti-debug and encryption techniques to thwart security analysis.
This mechanism is similar to command and control servers encountered with malware. Due to the wide permissions required by DJI GO 4 which includes contacts, microphone, camera, location, storage, change network connectivity, the DJI or Weibo Chinese servers have almost complete control over the user’s phone.
DJI is the world’s largest maker of commercial drones and has faced scrutiny alongside other Chinese companies over national security concerns.
The Android app has been downloaded by more than one million users via the Google Play Store. The security vulnerabilities however are not applicable to its iOS version, which is not obfuscated, nor does it have the hidden update feature.
GRIMM performed the research in response to a security audit requested by an unnamed defense and public safety technology vendor in order to investigate the privacy implications of DJI drones within the Android DJI GO 4 application.
On reverse engineering the app, Synacktiv uncovered the existence of a URL (“hxxps://service-adhoc.dji.com/app/upgrade/public/check”) that it uses to download an application update and prompt the user to grant permission to “Install Unknown Apps.”
They modified the request to trigger a forced update to an arbitrary application, which prompted the user first for allowing the installation of untrusted applications, then blocking him from using the application until the update was installed.
This is a direct violation of Google Play Store guidelines and this attacker could compromise the update server to target users with malicious application updates.
The app then continues to run in the background even after it is closed and leverages a Weibo SDK (“com.sina.weibo.sdk”) to install an arbitrarily downloaded app, triggering the feature for users who have opted to live stream the drone video feed via Weibo. However, they didn’t find any evidence that it was exploited to target individuals with malicious application installations.
Besides it was also found that the app took advantage of MobTech SDK to hoover metadata about the phone, including screen size, brightness, WLAN address, MAC address, BSSIDs, Bluetooth addresses, IMEI and IMSI numbers, carrier name, SIM serial Number, SD card information, OS language and kernel version, and location information.
DJI disputed the research, stating that there is no evidence that they were ever exploited. The company said that they were not used in DJI’s flight control systems for government and professional customers, and that it wasn’t able to replicate the behavior of the app restarting on its own.
In future versions, users will also be able to download the official version from Google Play and if the users do not consent to do so, the hacked version of the app will be disabled for safety reasons.
Image Credits : DJI Store