DJI drone app called “DJI GO4” can have full control of the users’ devices, claims researchers from two cyber security firms.
Some of the best technology companies are owned by China. For instance Huawei, TikTok, Lenovo, and Xiaomi, etc. the list goes on. But lately, as tensions between China and the US escalate the IT security industry is also eager to its fair share.
According to the latest research from US-based GRIMM and France-based Synacktiv cybersecurity firms, an Android application manufactured by Chinese drone maker Da Jiang Innovations (DJI) can install malicious applications or hijack user’s mobile phones. It can also steal and transmit sensitive user data to the company’s servers.
The app, called DJI GO 4, has an unconventional auto-update system that can forcefully install updates on users’ phones without routing them via Google Play Store. The app, according to researchers, requests for extensive permissions, and collects crucial data such as the SIM card’s serial number, IMSI, and IMEI number of the mobile.
Moreover, it features an anti-debug and encryption technology, using which it can thwart security checks. This mechanism is identical to the C&C servers that are linked with malware.
The researchers went on to reveal that even when the app is closed, it stays active in the background and leverages a Weibo SDK to randomly download and install an app. It also uses MobTech SDK to extract the phone’s metadata, including MAC address, BSSIDs, WLAN address, Bluetooth address, SD card information, OS language and kernel version, carrier name, and adjust screen’s size and/or brightness.
Since the app can access a range of functions on the phone, including camera, contacts, geolocation, microphone, etc., not just DJI GO4 but any third-party, including the Chinese government, can get full control of the phone. This type of updating is against the guidelines of the Google Play Store.
The app also installs arbitrary applications via Weibo SDK to share private data stored on the phone with Weibo and allowing attackers to target unsuspecting users with installing malicious applications.
Researchers noted that the vulnerabilities don’t apply to the app’s iOS version, and only Android devices are at risk.
In a blog post, Synackti said that:
Despite being under scrutiny, DJI did not improve the transparency surrounding the potential abuse of its Android mobile application: DJI GO 4 application makes use of the similar anti-analysis techniques as malware, such as anti-debug, obfuscation, packing and dynamic encryption.
In a blog post, researchers from GRIMM wrote that:
The DJI GO 4 application contains several suspicious features as well as a number of anti-analysis techniques, not found in other applications using the same SDKs. Overall, these features are worrisome and may allow DJI or Weibo to access the user’s private information or target them for further exploitation.
DJI responded by terming these findings as to the usual “software concerns,” and claims that it contradicts the reports published by the US DHS and Booz Allen Hamilton, etc., that denied any involvement of the app in unexpected data transfer.
Furthermore, the update feature is not part of the app’s government version, and it is included to prevent hackers from overriding the app’s safety restrictions.
“If a hacked version is detected, users are prompted to download the official version from our website,” stated Brendan Schulman, DJI’s spokesperson.