Popular media player application and OTT platform MX Player, that has over five hundred million downloads from Play Store, was found to have critical security vulnerabilities.
MX Player was initially only used as a media file player and became a free online content streaming platform after it was acquired by Times Internet. It is one of the most used OTT platforms in India and comes with additional features like MX Transfer that allows users to wirelessly transfer media content and applications.
Remote code execution vulnerability
It is this file transfer feature that was found to be vulnerable by David Wills, a researcher at security firm Tenable Security. According to Wills, the files transfer feature creates a hotspot making one device into a sender and the other one as receiver to transfer content. During this process, a hacker, who is within the Bluetooth range of these devices, can intrude and inject executable files.
Since MX Players file transfer protocol allows multiple files to be transferred in a single session it offers a gateway for the interloper to barge in and transfer files that carries malware payload.
These files or applications can be controlled remotely and can be used to install other files, snoop or steal private files stored on the device and send them to remote servers belonging to the hackers.
This test was performed using Android smartphones Pixel 3 and Pixel 3 XL, Wills however did not disclose if the iOS applications of MX Player were also vulnerable to remote code exploit.
The details of this vulnerability were shared with the MX Player team and while they only got very little response from the team, the vulnerability seems to have been fixed with the latest update that was released on July 6th.
So, In case you have MX Player installed on your phone, it is advisable to manually update the application to its latest version as soon as possible.