ES File Explorer has been one of the most popular ways to navigate and manage your phone's storage. Though there are in build file managers in most modern Android devices, the app still have over a hundred million downloads on Google Play alone. The problem is that the app has been getting bloated with additional functions that frankly no one asked for, which has also been the reason for the app's barrage of negative reviews on the Play Store. To add to the problems, security researcher with Mr. Robot inspired pseudonym Elliot Alderson recently claimed the app makes your phone's files easily vulnerable to data theft.
In his tweet Eliot Alderson states "With more than 100,000,000 downloads ES File Explorer is one of the most famous #Android file manager. The surprise is: if you opened the app at least once, anyone connected to the same local network can remotely get a file from your phone". He also attached the video embedded below to demonstrate his point.
ES File Explorer starts an HTTP server on port 59777, which leaves makes your phone accessible to anyone on the same local network to exploit it, the researcher claimed. The attacker can then use that port to inject a JSON payload and list out the files you have and even download them.
This vulnerability is claimed to exist in v18.104.22.168.4 (which is the current version of the app on the Google Play Store at the time of writing), and lower. If you happen to use the app, then its best to connect only to highly trusted networks, or look for an alternative at least until there's an update that resolves this issue.