Cybersecurity researchers on Thursday revealed security issues in the Android app developed by Chinese drone-maker Da Jiang Innovations (DJI) that comes with an auto-update mechanism that bypasses Google Play Store and could be used to install malicious applications and transmit sensitive personal information to DJI’s servers.
The twin reports, courtesy of cybersecurity firms Synacktiv and GRIMM, found that DJI’s Go 4 Android app not only asks for extensive permissions and collects personal data (IMSI, IMEI, the serial number of the SIM card), it makes of anti-debug and encryption techniques to thwart security analysis.
“This mechanism is very similar to command and control servers encountered with malware,” Synacktiv said.
“Given the wide permissions required by DJI GO 4 — contacts, microphone, camera, location, storage, change network connectivity — the DJI or Weibo Chinese servers have almost full control over the user’s phone.”
The Android app has over one million installs via the Google Play Store. But the security vulnerabilities identified in the app don’t apply to its iOS version, which is not obfuscated, nor does it have the hidden update feature.
A “Shady” Self-Update…