Researcher shows how popular app ES File Explorer exposes Android device data

[ARMOUR]

 

Why is one of the most popular Android apps running a hidden web server in the background?

 

ES File Explorer claims it has over 500 million downloads under its belt since 2014, making it one of the most used apps to date. It’s simplicity makes it what it is: a simple file explorer that lets you browse through your Android phone or tablet’s file system for files, data, documents and more.

But behind the scenes, the app is running a slimmed-down web server on the device. In doing so, it opens up the entire Android device to a whole host of attacks — including data theft.

 

Baptiste Robert, a French security researcher who goes by the online handle Elliot Alderson, found the exposed port last week, and disclosed his findings in several tweets on Wednesday. Prior to tweeting, he showed TechCrunch how the exposed port could be used to silently exfiltrate data from the device.

 

“All connected devices on the local network can get [data] installed on the device,” he said.

 

Using a simple script he wrote, Robert demonstrated how he could pull pictures, videos, and app names — or even grab a file from the memory card — from another device on the same network. The script even allows an attacker to remotely launch an app on the victim’s device.

 

He sent over his script for us to test, and we verified his findings using a spare Android phone. Robert said app versions 4.1.9.5.2 and below have the open port.

“It’s clearly not good,” he said.

 

We contacted the makers of ES File Explorer but did not hear back prior to publication. If that changes, we’ll update.

 

The obvious caveat is that the chances of exploitation are slim, given that this isn’t an attack that anyone on the internet can perform. Any would-be attacker has to be on the same network as the victim. Typically that would mean the same Wi-Fi network. But that also means that any malicious app on any device on the network that knows how to exploit the vulnerability could pull data from a device running ES File Explorer and send it along to another server, so long as it has network permissions.

 

Article Source:

• TechCrunch
• Elliot Alderson ‏

[Jogs]

Yet another bad thing about ES. Luckily I got rid of it long long ago.

[tiliarou]

what are you using then now ?

I'm used to ES pro which I got for free but would happily switch to better alternative

[Jogs]

I personally use Mixplorer & CX File explorer. Any thing new takes some time to adjust, but after using for some time it becomes easy.

[debebee]

Quote

The obvious caveat is that the chances of exploitation are slim, given that this isn’t an attack that anyone on the internet can perform. Any would-be attacker has to be on the same network as the victim. Typically that would mean the same Wi-Fi network. But that also means that any malicious app on any device on the network that knows how to exploit the vulnerability could pull data from a device running ES File Explorer and send it along to another server, so long as it has network permissions.

 

Not worrying me if you have  pretty secure network security

[rajeesh]

already uninstalled because of Chinese app. using filemanager by augustro. simple one..

 

[DKT27]

Saying from a long time. This app is not trustable anymore.

 

On 1/16/2019 at 5:16 PM, tiliarou said:

what are you using then now ?

I'm used to ES pro which I got for free but would happily switch to better alternative

 

See this topic. Most of them mentioned are fine to use on non-rooted phones too. My personal recommendation is mentioned here.

 

13 hours ago, teodz1984 said:

Not worrying me if you have  pretty secure network security

 

Here is my bigger concern as mentioned in the article:

 

Quote

But behind the scenes, the app is running a slimmed-down web server on the device. In doing so, it opens up the entire Android device to a whole host of attacks — including data theft.

 

As ambiguous as it might be, it's quite concerning thing. As I said, there are enough reasons to avoid the app - at least the newer versions that even you might agree.

 

22 minutes ago, rajeesh said:

already uninstalled because of Chinese app. using filemanager by augustro. simple one..

 

While this is my preferred app, here is another one which is made by same countryman there , is free and open source too.

[mkc21]

Ugh, I was annoyed by some people that said a couple of years ago to uninstall it (I had the pro version and paid for it) however I reluctantly uninstalled it. Looks like it was a good decision after all.

[DKT27]

12 minutes ago, mkc21 said:

Ugh, I was annoyed by some people that said a couple of years ago to uninstall it (I had the pro version and paid for it) however I reluctantly uninstalled it. Looks like it was a good decision after all.

 

If that people included me, then I would say, wise men them.