For at least the past six months, a popular remote management app available in the official Google Play Store has opened tens of millions of Android users to code-execution and data-theft attacks when they use unsecured networks, researchers said Thursday.

AirDroid, which has been downloaded 10 million to 50 million times from the official Google Play Store, uses a static and easily detectable encryption key when transmitting update files and sensitive user data, according to a blog post published by security firm Zimperium. Attackers who are on the same network can exploit the weakness to push fraudulent updates or view potentially sensitive user information, including the international mobile equipment identity and international mobile subscriber identity designations that are unique to each phone.

"A malicious party on the same network as the victim can leverage this vulnerability to remotely gain full control of their device," Simone Margaritelli, principal security researcher at Zimperium's zLabs, told Ars. "Moreover, the attacker will be able to see the user's sensitive information such as the IMEI, IMSI, and so forth. As soon as the update, or fake update, is installed the software automatically launches the updated [Android app file] without ever verifying who built it."

Here's a video showing a Zimperium-developed proof-of-concept attack exploiting the weakness:

The vulnerability, which Zimperium privately reported to AirDroid developers in May, remained present in AirDroid version 4.0, which was released in mid-November. On Wednesday, AirDroid developers released version 4.0.0.1, and that too remains vulnerable.

Key under the doormat

Margaritelli said that while AirDroid versions he tested used industry-standard HTTPS to encrypt most traffic, data for certain functions is sent over HTTP. In the cases where HTTP is used—including update notifications and the update files themselves—the HTTP-transmitted data is encrypted using DES, short for the data encryption standard. Remarkably, the key used for this symmetric encryption scheme—890jklms—is hardcoded into the AirDroid app, where it's easy for Zimperium researchers to find.

A timeline included in the Zimperium blog post shows that company officials first notified AirDroid of the vulnerability in late May. In September, AirDroid informed Zimperium of an upcoming release, which finally went live two weeks ago. Zimperium's analysis of that release, AirDroid version 4.0 and the subsequent 4.0.0.1 showed that the app remained vulnerable, a finding that resulted in Thursday's disclosure of the weakness.

Update: In e-mails sent after this post went live, AirDrop's chief marketing officer Betty Chen wrote:

Due to the complexity of coding for a cross-screen management application like us, we require a complete sync systematic coding across clients and server to make sure best possible experience for our users during this transition time, as the amendment will not be compatible with the previous versions. As Zimperium published in their blog, we did publish an update late in November but it is only for mobile client (AirDroid 4.0). In this version, we have already implemented some adjustments but we still need to wait for the optimisation complete across clients before we can release a better encrypt solution. we will start to roll out the updated release, clients and server collaboratively, in two weeks. We will be stretching the best of our capability to make it happen on time!

While application sandboxing built into the Android operating system can limit the access malicious apps have, there are a few reasons why the attack Zimperium has demonstrated remains a serious threat. First, AirDroid already has a significant number of usage rights, including the ability to make in-app purchases and to access contacts, device location, text messages, photos, camera, microphone, Wi-Fi connection data, and device ID and call information. What's more, an attacker pushing a malicious update could augment those rights as long as the end user clicked an OK button when receiving a fake notification that an update was available.

And while use of a virtual private networking app while connected to an unsecured network may provide a layer of protection, there may still be ways for attackers to bypass it. One example: presenting the target with the type of captive portal page that hotels and conference organizers often display before end users can access a Wi-Fi network.

Until a fix is in place, AirDroid users should restrict their use of the app to networks they control and trust. And once a patch is made available, people should be sure to install it immediately, but again only over a secured network.

Post updated to report that version 4.0.0.1 remains vulnerable.