Now, ES File Explorer, an Android file sharing app, opens up the entire Android device to a whole host of attacks, including data theft.
Unlike iOS, file sharing in Android is easy. For most Android users, they use ES File Explorer. It’s a very popular app within the Android community. ES File Explorer app is a file manager that’s already been downloaded over 100 million times. It’s one milestone that is not easy to replicate but there may be a price to pay.
If you open the app on your phone, people can also see the file and be able to get it. Any content can be obtained from data to files and important documents. It’s like having access to a web server, only your phone isn’t a server. It’s supposed to be your own private storage.
Elliot Alderson, a French security researcher, who first discovered the problem. He shared his findings that “All connected devices on the local network can get data installed on the device.”
Any malicious app on any device on the network that knows how to exploit the vulnerability could pull data from a device running ES File Explorer and send it along to another server, so long as it has network permissions. Typically that would mean the same Wi-Fi network.
ES File Explorer starts an HTTP server on port 59777, which leaves makes your phone accessible to anyone on the same local network to exploit it, the researcher claimed. The attacker can then use that port to inject a JSON payload and list out the files you have and even download them.
This vulnerability is claimed to exist in v18.104.22.168.4 (which is the version of the app on the Google Play Store), and lower.
There's no word from the developers yet, but ES File Explorer is still actively developed. Presumably, an update is forthcoming.
Stock photo from Sharaf Maksumov