Popular ES File Explorer Android app now unpopular for security bug
Android has long prided itself for how it allows users to dig into most of the file system, provided they have a file manager app on hand. Of the latter, ES File Explorer was once the cream of the crop for the features it offers. Those features, however, may have come at the price of your privacy and security. A vulnerability has been discovered that apparently gives any hacker worth his or her salt access to a phone with that app installed and all they have to do is sit on the same Wi-Fi network as the phone.
The cause of this rather straightforward vulnerability is ES File Explorer's built-in and hidden web server which runs in the background and exposes port 59777. The app may offer a lot of functionality, including streaming videos or remote access to files, through that web server but the costs it puts on users might be too high to pay.
According to security researcher Elliot Alderson, a.k.a. @fs0c131y, a hacker can easily send a JSON payload to the phone that would then give access to phone data, including a list the videos and photos, a list of installed apps, or even directly get a file from the phone. The one caveat is that the attacker and the target phone should be on the same local network, but the ubiquity of public Wi-Fi access these days makes that almost too easy.
With more than 100,000,000 downloads ES File Explorer is one of the most famous #Android file manager.
The surprise is: if you opened the app at least once, anyone connected to the same local network can remotely get a file from your phone https://t.co/Uv2ttQpUcN— Baptiste Robert (@fs0c131y) January 16, 2019
Although still actively developed, ES File Explorer has started to go downhill a few years back when it started to include ads in its app and on the lock screen. Since then, better alternatives have popped up and with Google's own File app available for all, the need for something like ES File Explorer has become even less.