Android app WheresMyDroid allows a malicious user to take silent camera photos, get the gps location, and various other dangerous actions.
794fccd3babd94bb14e3eb1e80fd75ed17acb5f866fabc87047e998bd5306d87
Brief
=====
Android App WheresMyDroid (10M - 50M installations) allows a malicious
user to perform the following:
- Take silent camera photos, automatically uploading them.
- Getting the GPS location.
- Possibly wiping the phone, locking and unlocking the device.
- Upgrading the App to the Pro version.
These are all possible via SMS messages.
Disclosure timeline
===================
April 20th, 2016: discovered issues.
April 21st, 2016: contacted App developers with no response.
May 1st, 2016: tried to contact App developers for the second time.
May 7th, 2016: public disclosure.
Technical details
=================
The WheresMyDroid Android App listens to SMS messages and acts
according to their content.
Some operations (checking whether the App is running and upgrading to
Pro) are hard-coded, while others have weak default values.
More technical information and blog entry
==============================
securitygodmode.blogspot.com/2016/05/android-attack-surfaces-part-i.html