New security issues in the Android app can affect China’s DJI Drones

Researchers warn about vulnerabilities that can lead to full hacker control of smartphones and DJI’s servers

The app for android thet controls DJI drones contains shady self-update feature

The app for android thet controls DJI drones contains shady self-update feature

Hackers can possibly take full control of user’s phones and other devices due to a flaw in the Android application used to operate DJI drones.[1] Multiple reports[2] state that programs contain a number of features that are flawed and can allow attackers to gain control of users’ phones.[3]

Researchers report that DJI GO 4 app can force updates without routing the connection through the Google Play Store. This is how the app can be accessed, so data like contacts, microphone, camera, geolocation can be obtained. DJI or any third-party can take full control of the device. Such activity also counts as a violation of the store’s guidelines.

When such an application remains running in the background, it also leverages the Weibo SDK and can install other programs, trigger features like streaming the drone video on the internet. Attackers can access various personal details about the user and target particular people with malicious app injections. The exploitation is not confirmed, but it is possible that attackers could have been targeting individuals with malicious apps.

Suspicious features can give anyone the access to DJI servers

Researchers state that since the application collects various information simultaneously, this and other features can lead to more serious privacy issues. Anyone that has the wish to gain access to DJI servers can use the feature and target users, including state-sponsored[4] hackers and other malicious actors.

Purely from a technical point of view, if you get access to the DJI servers, or you’re someone who has the legal authority over DJI to force themselves to have access, you can target users, not just for mass exploitation but also targeted exploitation.

The worst thing is that malicious actors can push and directly update the device, so this upgrade includes exploit kits, malicious applications and helps the attacker to take over the phone. From there – anything and everything can be done. Fortunately, the iOS version of the mobile application does not have the same feature, so the flaw resides in Android devices.

Random findings came to the public during the security audit

According to GRIMM researchers, this analysis started when the undisclosed defense and public safety technology vendor asked for the security audit. This suspicious self-update mechanism was revealed during the investigation on the privacy implications DJI drones within the Android DJI GO 4 app. 

Synacktiv team managed to find the URL that allowed the download of the upgrade and prompt the user to allow permission to install applications. But this is the direct violation of Google Play Store guidelines, and the attacker can compromise the update server, target users with malicious updates.

We modified this request to trigger a forced update to an arbitrary application, which prompted the user first for allowing the installation of untrusted applications, then blocking him from using the application until the update was installed.

This is not the first time for DJI and security concerns

The company denies the severity of these flaws, even though this is not the first time DJI gets mentioned in such reports,[5] and calls these findings “typical software concerns”:

There is no evidence they were ever exploited, and they were not used in DJI’s flight control systems for government and professional customers.