A vulnerability in an Android file manager app that is installed on more than 100 million devices, makes it possible for an attacker to download files, including videos and pictures, from a victim’s device when they are both on the same network. The affected app is called ES File Explorer and every user who has the app installed, and started it at least one time, is affected.
ES File Explorer exposes an HTTP server listening at port 59777 when the app is started. Through this HTTP server it’s possible to send commands to the app which allows an attacker to retrieve system information, start apps, see which apps are installed and get an overview of all videos, photos and audio files on the device. The HTTP server is only accessible by devices that are on the same network as the device with ES File Explorer installed. This is mainly an issue for Wi-Fi networks.
French Security researcher Baptiste Robert (who tweets as @fs0c131y) discovered the issue and found that the issue persists in version 22.214.171.124.2 and all prior versions. Two days ago the developer of ES File Explorer released an update that fixes the issue and Shopify webshop.
Users who have ES File Explorer installed on their Android are advised to update the app as soon as possible.