Why is one of the most popular Android apps running in the background with a hidden web server?
According to ES File Explorer, more than 500 million downloads have been performed since 2014, making it one of the most widely used apps to date. Simplicity makes it what it is: a simple file explorer that lets you browse the file system of your Android phone or tablet for files, data, documents, and more.
But behind the scenes, the app runs a slimmed-down web server on the device. This will open the entire Android device for a variety of attacks – including data theft.
Baptiste Robert, a French security researcher looking for online handle Elliot Alderson found that unmasked last week, and released his findings in several tweets on Wednesday. Before tweeting, he showed TechCrunch how to use the exposed port to filter data from the device in the background.
"All connected devices on the local network can be installed [data] on the device," he said.
Using a simple script he wrote, Robert demonstrated how to retrieve images, videos, and app names from another device on the same network, or even get a file from the memory card. The script even allows an attacker to remotely launch an app on the victim's device.
He sent his script for testing and we checked his results with a replacement Android phone. Robert said the app versions 22.214.171.124.2 and below have the open port.
"It's clearly not good," he said.
We contacted the manufacturers of ES File Explorer, but did not hear anything before the release. If that changes, we will update it.
The obvious caveat is that the exploitation opportunities are low, as this is not an attack anyone can do on the Internet. Each attacker must be in the same network as the victim. In general, this would mean the same Wi-Fi network. However, this also means that any malicious app on any device on the network that exploits the vulnerability can retrieve data from a device using ES File Explorer and send it to another server if it has network permissions.
Of the reasonable explanations, some have suggested that videos will be transferred to other apps over the HTTP protocol. Others who found the same exposed port in the past found it alarming. The app even says that it allows you to "manage files on your phone from your computer … when this feature is enabled."
Most likely, however, is that the open port leaves it open as soon as they open the app