Path Traversal Vulnerability in File Explorer (FX) for Android

# Disclosure Date: 31 Jan 2014
# Author: Keith Makan
# Vendor or Software Link:
# Version: 
# Tested on: Android 3.2.1 (HTC Flyer)
# Tools : Drozer, Bash


File Explorer (FX) for Android Suffers from a Path Traversal and permission leakage vulnerability.


Malicious Android applications with no Permissions are capable of leaking the contents of a victims local file system.

An estimated 500,000 - 1,000,000 installs are currently affected.

Proof of concept:

*Disclaimer* This application may be affected by other vulnerabilities.