On Friday, we talked a little about DJI so here’s a little more info incase you were curious.
On Thursday, cybersecurity researchers uncovered some issues in the Android app, developed by Chinese drone-maker Da Jiang Innovations (DJI). The app comes with an auto-update mechanism that bypasses Google Play Store and could be used to install malicious apps and transmit personal information to DJI’s servers. The twin reports (from cybersecurity firms Synacktiv and GRIMM) found that DJI’s Android app asks for extensive permissions and collects personal data. We don’t yet know if this capability has been utilised but it is there.
The Android app has over one million installs from the Google Play Store but the security vulnerabilities identified don’t apply to the iOS rendition, which is not obfuscated (source or machine code that is difficult for humans to understand) and doesn’t have the hidden update feature.
Auto-Updating and Downloading Unknown Apps
Reverse engineering the app uncovered the existence of a URL that the app uses to download an application update and prompt the user to grant permission to “Install Unknown Apps”. Not only is it a direct violation of Google Play Store guidelines but the implications of this feature are, also, heavily negative. For example, an attacker could compromise the update server to target users with malicious application updates.
Furthermore, the app continues to run in the background even after it’s been closed and leverages a Weibo SDK to install an arbitrarily downloaded app, triggering the feature for users who have opted to live stream the drone video feed via Weibo. Still, nobody has found any evidence that it has been exploited to target individuals with malicious application installations.
Besides this, the researchers found that the app takes advantage of MobTech SDK to capture metadata about the phone, including; screen size, brightness, WLAN address, MAC address, BSSIDs, Bluetooth addresses, IMEI and IMSI numbers, carrier name, SIM serial Number, SD card information, OS language and kernel version, and location information.