Newly published zero-day said to impact millions of users

UPDATE ESP APP Group has told The Daily Swig that they fixed the bug and are urging users to update to the latest version of ES File Explorer. It added: “We would also like to thank Baptiste Robert for bringing this vulnerability to our attention so we can continue to provide a safe and secure online environment for all of our users.”

A vulnerability in a popular Android app is exposing user data through an open port, a researcher has discovered, allowing an attacker to steal information and even open up files remotely.

The problem lies within ES File Explorer – a free app that manages the documents, images, and music on Android phones. The software is said to be installed on more than 100 million devices globally, according to stats from Google Play.

When a person opens the app, an attacker is able to retrieve data from the device inconspicuously.

“Technically, every time a user is launching the app, an HTTP server is started,” said Baptiste Robert, a French security researcher who goes by the online pseudonym Elliot Alderson.

“This server is opening locally the port 59777. On this port, an attacker can send a JSON payload to the target.”

In order for the exploit to work, the attacker needs to be on the same local network as the victim, such as a shared public WiFi connection.

If this prerequisite is satisfied, however, a malicious app that shares the network could be used to scrape information from a victim’s device.

Robert’s proof of concept demonstrates how an attacker can gain access to a victim’s files, find out what apps they use, and control apps on the phone.

He told The Daily Swig that he had reached out to ES APP Group, creators of ES File Explorer, with the help of TechCrunch’s Zack Whittaker, but the company has yet to issue a response.

“They need to add authentication mechanism to this feature,” Robert said. “There is no security at all today.”

Those running ES File Explorer version 4.1.9.5.2 and below are affected. It is not known whether this bug impacts devices running the latest version (4.1.9.7.4).

Robert said that uninstalling the app would be the best protection for the time being.

The Daily Swig has contacted ES APP Group to find out if and when they plan to fix the vulnerability.

Not long after Robert released the zero-day, malware researcher Lukas Stefanko found another vulnerability in ES File Explorer that could enable an attacker to intercept HTTP traffic when located on the same local network as a victim. A fix has been issued for this bug.