The Android DJI Go 4 app lets you fly your drone. It also contains sophisticated hidden functionality that can “phone home” every hour to Sina Weibo, one of the most popular Chinese social media sites, asking for fresh commands.
Those new commands could include installing new apps on your phone for almost any purpose.
In addition, the app restarts itself automatically when you try to quit it.
“The application restarts itself when closed via the Android swipe closed gesture,” cybersecurity research firm Grimm says in a blog post. “Thus, users may be tricked into thinking the application is closed, but it could be running in the background while sending Telemetry requests.”
Grimm conducted an extensive analysis of the app, which was banned by the U.S. military years ago, peeling through layers of code obfuscation that attempted to hide its functionality. Grimm found that the app, which has been downloaded between one and five million times, also until very recently collected a significant amount of private user information to send back to a Chinese analytics company, MobTech.
That data included:
- IMEI (International Mobile Equipment Identity, a device identifier)
- IMSI (International mobile subscriber identity, a unique identifier)
- SIM serial number
- Bluetooth address
- MAC address (media access control address, yet another unique identifier)
- Wireless network name
- Carrier name
- SD card information
- And more
Most of this is unusual data collection, far beyond anything needed to operate an app or to target advertising, and extremely invasive. And the maker of the DJI app seem to have known what they were doing was not kosher, because they tried to hide their steps:
“Grimm also discovered data being gathered in the com.mob.commons function,” one of Grimm’s security researchers writes. “This function uses obfuscated strings … in an attempt to hide the data collection. After calling this function to collect the user’s data, the application calls the MobCommunicator.requestSynchronized function to send the data out the network.”
The DJI Go 4 app also contains a self-update mechanism, Grimm says, which can be used to install new functionality without using the approved Google Play app update system. Doing so is against Google’s developer policies, for obvious reasons.
“This update option completely bypasses the Google Play Store, giving DJI’s servers the ability to fully control the APK downloaded, whether with malicious intent or not,” Grimm says.
Interestingly, when the app tells you it wants to update itself, it also asks permission to “install unknown apps.”
Doing so uses the Weibo SDK, or software development kit inside the app, to install any app that DJI — or anyone else in control of the app — wishes.
This behavior, Ars Technica says, mimics the “behavior of botnets and malware,” which generally want the ability to do whatever they want on a phone, extract any data they wish, and install any other applications they would like. Adding to the potential severity of any misuse, the app requests an extensive array of permissions before installing, including accessing your:
- Device ID and phone call information
- Your identity
- Storage (reading USB cards, modifying them, deleting them)
- Device and app history (including apps that are running
- Microphone (along with the ability to record audio)
- Location (GPS and network based)
- WiFi information
The app also asks permission to interact across users, control media playback and metadata, access modify/delete internal media storage contents, Access download manager, download files without notification, control vibration, get full network access, read Google service configuration, change network connectivity, allow Wi-Fi Multicast reception, create accounts and set passwords, access Bluetooth settings, close other apps, connect and disconnect from Wi-Fi, send sticky broadcast, use accounts on the device, do a Google Play license check, view network connections, read battery statistics, pair with Bluetooth devices, and prevent your device from sleeping.
That is a very long and extensive list.
The app is still available on Google Play as of July 24.
Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.