ES File Explorer has fixed a security vulnerability that let attackers steal files off of your phone

Ben Schoon | Jan 18 2019 - 8:12 am PT

If you’ve been using Android for a while, you’ve probably used your fair share of file explorers. One of the best for a long time was ES File Explorer, but over the past few years, it’s turned into a buggy, ad-filled mess that’s basically unusable without the Pro upgrade. Now, it’s been revealed that the app has housed a security vulnerability for quite some time.

Security researched Elliot Alderson recently revealed on Twitter that a flaw in the app makes your files vulnerable to theft if you’ve opened the app even one time. This isn’t overly serious, though, seeing as the attack can only occur on a local network. Still, with over 100 million downloads, this is something that ought to be fixed.

Alderson explains that this vulnerability occurs each time the app is opened. When launched, the app automatically opens up an HTTP server on port 59777. That might sound like gibberish to the average Joe, but to anyone with the proper knowledge, it’s very easy to exploit that to pull any files they want from your device. It’s generally a bad idea to be on a network with people you don’t know, but if you’re an ES File Explorer user, you might especially want to avoid it.

This flaw is present in every version of ES File Explorer up until version 4.1.9.7.4. The app’s developers, though, have contacted Android Police to note that they’ve already fixed the vulnerability and have rolled out the change via the Google Play Store. Version 4.1.9.9 seems to fix the problem and is available now.

With more than 100,000,000 downloads ES File Explorer is one of the most famous #Android file manager.
The surprise is: if you opened the app at least once, anyone connected to the same local network can remotely get a file from your phone https://t.co/Uv2ttQpUcN

— Baptiste Robert (@fs0c131y) January 16, 2019