Brief
=====
Android App WheresMyDroid (10M - 50M installations) allows a malicious
user to perform the following:

- Take silent camera photos, automatically uploading them.

- Getting the GPS location.

- Possibly wiping the phone, locking and unlocking the device.

- Upgrading the App to the Pro version.

These are all possible via SMS messages.


Disclosure timeline

===================

April 20th, 2016: discovered issues.
April 21st, 2016: contacted App developers with no response.
May 1st, 2016: tried to contact App developers for the second time.
May 7th, 2016: public disclosure.

Technical details

=================

The WheresMyDroid Android App listens to SMS messages and acts
according to their content.

Some operations (checking whether the App is running and upgrading to
Pro) are hard-coded, while others have weak default values.


More technical information and blog entry
==============================
securitygodmode.blogspot.com/2016/05/android-attack-surfaces-part-i.html