ES File Explorer Caught Running Hidden Web Server On Android & Exposing Sensitive Data

• ES File Explorer was caught running a lightweight Web browser that exposes all devices to data theft attacks.
• Any connected devices on the local network can access Android devices that have the ES File Explorer app installed.
• App versions 4.1.9.5.2 and below come with the open port that leaves devices vulnerable.

ES Explorer is one of the most popular file explorer apps out there with over 500 million downloads but it seems like the app has left its entire user base exposed to data theft and other malicious attacks. According to French security researcher Baptiste Robert, who also goes by the name of Elliot Alderson, he identified the app running a web server in the background of all devices that have ES Explorer installed up until version 4.1.9.5.2.

The exploit requires the attacker to be on the same network as the target device and a simple script can be deployed to launch apps from the victim’s device and steal private data. Despite the publication by Robert, there has been no official response from the app’s developers so far. It remains to be seen if ES Explorer will be updated to patch the vulnerability.

Even though the chances of a device being exploited are quite low, it is negligence on ES Explorer’s part to leave its app open to any kind of online attack. There is also the chance that other malicious apps with network permissions could steal private data which is something users need to be careful about.

The port that can be used for exploits is used to stream video content on the media player to other apps. It is simply a poor implementation of the streaming feature as the port is open whenever a user launches the app instead of it being active during streaming sessions only. It is recommended to update to the latest version of the app which is 4.1.9.7.4. Since the exploit is possible up until 4.1.9.5.2 only, users should no longer face issues after the update.

What do you think about the ES Explorer exploit identified by Baptiste Robert? Let us know in the comments below. Visit our socials on Facebook and Twitter to check what else is hot in the tech world today.