With over 1 million Google Play downloads, the Android version of the popular DJI Go 4 drone-control app is found to have been covertly collecting sensitive user data until recently. According to ArsTechnica, researchers have also discovered that the app is capable of downloading and executing code of the developers’ choice.
Two security firms, Synacktiv and Grimm, have both independently shared the results of their analysis of the DJI Go 4 app, revealing that the app skirted Google terms and that it secretly collected and sent sensitive user data to servers located in mainland China.
In several respects, the researchers said that DJI Go 4 for Android mimicked the behaviour of botnets and malware. Both the “self-update and auto-install components call a developer-designated server and await commands to download and install code or apps.”
Meanwhile, DJI officials have said that the researchers found “hypothetical vulnerabilities” and that neither report provided any evidence that they were ever exploited.
“The app update function described in these reports serves the very important safety goal of mitigating the use of hacked apps that seek to override our geofencing or altitude limitation features,” they wrote in a statement.
A Google spokesman said the company is looking into the reports.